Multi-tenancy tenant admin

I am currently discovering the possibilities of multi tenant feature of camunda and I have come to few questions about it. I would like to use more tenants per single process engine multitenancy.

The question is can I restrict a tenant admin to only be able to grant some authorizations? Eg. If an user has an authorization authorization he can grant himself a tenant and tenant membership authorizations as well and become all tenant admin. This is something what I want to restrict. Is it possible to do this via a resource id like “DENY tenantMembership” or something?

Similar problem comes with user administration I would like to set tenant admin to be able to administer only the users which belong to his tenant. But I don’t want the tenant admin to be able to do anything about users of other tenants.

Is something like this possible? Or should I rather use the one process engine per tenant approach?

Thank you

Hi Adam,

currently, it is not possible to restrict the grant authorization for specific resources. So if a user / group is allowed to create authorizations then he can create an authorization for any resource.

You can reach this by creating one user permission for every user which belongs to the tenant of the tenant admin. Note that this only works if the tenant admin is not allowed to create authorizations.

Currently, your use case is not well covert by the process engine and you have to provide these additional logic by your own. The process engine only provides a way for members of the group camunda-admin to access all tenant data.

Best regards,

1 Like

Thank you for the reply. I will go the way of multiple process engines for now. But this might be a good place for possible future improvement.