Post

AuthNull’s multi-tenant organization design

Posted Updated
Multi-tenant organization
Multi-tenant organization
By Asif Ali 3 min read

AuthNull’s privileged access platform provides for provisioning organizations with multi-tenant built in by design. What I multi-tenancy and why does it matter, and how is the platform organized? This blog provides the details:

What is an Tenant?

A tenant is an instance of AuthNull in which information regarding the tenant and its resources such as users, server endpoints, groups etc exist. The primary functions served by a tenant include identity authentication as well as resource access management.

Each tenant can have one or more admins., and directory users who access the resources within the organization. Each tenant can have other users who are provisioned with policy controls that enable them to access the privileged resources in that tenant

A Multi-tenant organization

A multi-tenant organization can contain one or more tenants, and can be supervised by one or more super admins who can then manage one or more tenants. A multi-tenant organization contain privileged organizational data and are securely isolated from other tenants. In addition, tenants can be configured to have data persisted and processed in a specific region or cloud, which enables organizations to use tenants as a mechanism to meet data residency and handling compliance requirements.

A multitenant organization is an organization that has more than one instance (tenant) and here are the reasons why an Organization tenant might have multiple sub tenants

Enterprises Organizations with multiple subsidiaries or business units that operate independently.

Multiple clouds Organizations that have compliance or regulatory needs to exist in multiple cloud environments.

Multiple geographical boundaries Organizations that operate in multiple geographic locations with various residency regulations.

Test or staging tenants Organizations that need multiple tenants for testing or staging purposes before deploying more broadly to primary tenants.

Department or employee-created tenants Organizations where departments or employees have created tenants for development, testing, or separate control.

MSSPs A multi-tenant organization can also be used by Managed Security Services Providers (MSSPs) to manage privileged access for their customers.

How is your data managed?

Multi-tenancy allows organizations to manage their own data with isolation that is logical (and sometimes physical). Typically each tenant is available in a separate database which can be physically separated if needed. Each organization’s data can be stored in a particular region to comply with the regions requirements.

Because of this, there cannot be shared admins between the tenant (each tenant will require you to create a separate admin in order to access it).

Each tenant is also managed with a separate URL and managed by an org level admins.

Organizations are isolated in a given region. Tenant databases are logically or physically isolated from other tenants in that given region.

Database features

The database (which is hosted on postgres) is managed using Kubernetes based cluster operator for Postgres. An operator allows us to run the database on K8s and provides several features including

  • The databases are highly available (HA),
  • Deliver high performance
  • Failover with minimum 3 nodes
  • Automated replication of data on 3 nodes for failover in each region and that it has block level backup and data replication configured (typically in another region) for Disaster recovery.

Data is always encrypted at REST and in transit.

More information on how data is managed and secured coming up in upcoming blogs.

general
engineering
This post is licensed under CC BY 4.0 by the author.