Tenants and Realms
Tenants and realms are used by Connhex IAM to perform data segregation1.
They become essential once your platform grows in complexity and size: this is why Connhex allows them to be added over time. If your use case is simple enough, you can start with a single-tenant/single-realm configuration, then expand only when necessary.
Tenants
Creating a tenant is a way of drawing boundaries around data: users can only access data associated with tenants they belong to. This segregation is applied at an infrastructural level: while it might be possible2 for users inside the same tenant to share data (e.g. read data from the same devices, accessing the same resources, ...), they won't be able to do so across tenants.
This degree of segregation is the difference between grouping users in tenants or teams. Teams simply represent a convenient way of grouping users: they can be cross-tenant, meaning you can add users belonging to different tenants to the same team.
Multi-tenant users
Users can belong to multiple tenants: your admin accounts, for example, usually belong to every tenant.
This feature is essential for managing complex distribution strategies. A typical use case is a product installed by certified technicians:
- every technician belongs to an installing company (tenant)
- a third-party buys your products, then leverages different installing companies to complete their setup
- the third-party users need to access data collected by every associated installing company (multi-tenant), otherwise they wouldn't be able to access their own devices
Teams of tenants
Like users, tenants can also be grouped into teams.
This comes handy for clustering customers. Let's suppose you want to group customers by regional area, since EU customers will access different features from the rest of the world. You can do so by creating a separate tenant for each customer, then adding those tenants to Team Europe.
Can't I just group users to achieve the same effect?
You could, but you shouldn't. Each one of your customers will have multiple users: these can be added or removed over time, too. By grouping users through teams, you will need to update Team Europe every time any customer creates a new user.
Realms
Realms allow for an additional segregation level and are used to manage multiple applications. A typical IAM configuration:
- uses tenants to segregate customers
- uses realms to segregate applications. These applications typically map to different business units inside your organization.
Realms are useful once your platform needs to handle more than one user-facing application. Most Connhex users start with a single-realm configuration, then add them over time.
Practical applications
OEMs
OEMs and white-labeling represent typical use cases for multi-tenancy.
You should segregate each OEM or white-label customer into a separate tenant: besides ensuring data separation, this allows for a painless migration if the OEM customer asks for a dedicated Connhex instance.
An example
Let's say Acme Inc., the world's most famous company, has two business units providing different services: these should be mapped to separate realms. Acme is a tenant in both realms, whereas OEMs and resellers have their dedicated tenants.
If Acme sells directly to customers, there's no need for additional tenants: resources and permissions will be handled at policy level. Otherwise, users can either be grouped or separated into tenants.