Learn how to set up Multi-Tenancy with Optimize.
Possible Multi-Tenancy scenarios
As described in the Camunda BPM Platform documentation, there are two possible Multi-Tenant scenarios which are also supported by Optimize:
Single Process Engine With Tenant-Identifiers
Tenant-Identifiers available in the Camunda BPM Engine are automatically imported into Optimize and tenant-based access authorization is enforced based on the configured
Tenant Authorizations within the Camunda Platform. This means there is no additional setup required for Optimize in order to support this Multi-Tenancy scenario.
Users granted tenant access via the Camunda BPM Platform will be able to create and see reports for that particular tenant in Optimize. In the following screenshot the user
demo is granted access to data of the tenant with the id
firstTenant and will be able to select that tenant in the report builder. Other users, without the particular firstTenant authorization, will not be able to select that tenant in the report builder nor be able to see results of reports that are based on that tenant.
One Process Engine Per Tenant
In the case of a Multi-Engine scenario where tenant specific data is isolated by deploying to dedicated engines there are no Tenant-Identifiers present in the particular engines themselves. In order for a single Optimize instance that is configured to import from each of those engines to support this scenario it is required to configure a
defaultTenant for each of those engines.
The effect of configuring a
defaultTenant per engine is that to all data records imported from the particular engine where no engine-side Tenant-Identifier is present this
defaultTenant will be added automatically. Optimize Users will be authorized to those default tenants based on if the are authorized to access the particular engine the data originates from. So in this scenario it is not necessary to configure any
Tenant Authorizations in the Camunda BPM Platform itself.
environment-configuration.yaml configuration snippet illustrates the configuration of this
defaultTenant on two different engines.
... engines: "engineTenant1": name: engineTenant1 defaultTenant: # the id used for this default tenant on persisted entities id: tenant1 # the name used for this tenant when displayed in the UI name: First Tenant ... "engineTenant2": name: engineTenant2 defaultTenant: # the id used for this default tenant on persisted entities id: tenant2 # the name used for this tenant when displayed in the UI name: Second Tenant ...
Optimize users having an
Optimize Application Authorization on both engines will be able to distinguish between data of both engines by selecting the corresponding tenant in the report builder.
defaultTenant.id is configured and data imported, you cannot change it anymore without doing a full reimport full reimport as any changes to the configuration cannot be applied to already imported data records.