How to Implement Multi-Tenancy

This scenario describes how an administrator, as the CA SDM privileged user, implements multi-tenancy for the first time. From start to finish, the CA SDM implementation changes as follows:
casm173
This scenario describes how an administrator, as the CA SDM privileged user, implements multi-tenancy for the first time. From start to finish, the CA SDM implementation changes as follows:
  1. A single client uses a single implementation.
  2. Multiple independent clients (tenants) and their users
    share
    a single implementation. Each tenant experiences the implementation as solely for its own use.
As the administrator, you use the CA SDM Administration interface to perform these steps:
Step 1: Install and Enable Multi-Tenancy
You activate multi-tenancy by installing a multi-tenancy option in the product, and then enabling the setup mode. The setup mode specifies that multi-tenancy features are in effect for administrators. This mode allows the administrators to view and edit tenant-related objects and attributes. However, the product does not enforce tenancy restrictions, and the end users see no changes. This mode lets you prepare multi-tenancy by performing tasks such as defining tenants or assigning tenants to roles without impacting normal use of the product.
When multi-tenancy is in setup mode, web interface changes are active for the service provider administrators. This behavior lets you view and edit tenancy-related objects and data on the web interface. However, tenancy restrictions are not enforced, and users other than service provider administrators do not see any product interface changes. Therefore, you can continue to use the product while implementing multi-tenancy.
Create a backup of Domain_Constraint and usp_role tables before you proceed with implementing multi-tenancy. If multi-tenancy fails, you can use the back up to restore the tables.
Follow these steps:
  1. Log in to CA SDM as an administrator and click the Administration tab.
  2. In the tree on the left, click Options Manager, Multi-Tenancy.
    The Option List page appears.
  3. Click multi_tenancy.
    The multi_tenancy Options Detail page appears.
  4. Click Edit.
    The Update Options page appears.
  5. Select setup from the Option Value drop-down list.
  6. Click Install.
    The multi_tenancy option is installed.
  7. Click Refresh.
    The page displays your changes.
  8. Close the window.
    The Option List page reappears.
  9. Restart services.
    Multi-tenancy is ready for you to implement in setup mode.
Step 2: Create the Service Provider Tenant
You use the product to create the service provider tenant. When you create the first tenant, the following occurs:
  1. The first tenant always becomes the service provider.
    You cannot change this designation -- on the Create Tenant page, the Service Provider check box and Record Status field are read-only.
  2. The product associates the privileged user (typically ServiceDesk on Windows, or srvcdesk on Linux/UNIX) to the service provider tenant. The product sets all system contacts (such as System_AHD_Generated) to belong to the new service provider tenant.
    Note:
    Windows provides an Administrator system user. The privileged user must assign a tenant to the Administrator user manually.
Follow these steps:
  1. Select Security and Role Management, Tenants on the Administration tab.
    The Security and Role Management, Tenants option is available only when multi-tenancy is installed and in either setup or on mode.
  2. Click Create New.
    The Create New Tenant page appears.
  3. Complete the following fields:
    • Name
      Displays the tenant name.
    • Service Provider
      Identifies that this tenant is the service provider.
    • Tenant Number
      (Information Only) Displays the tenant number. CA SDM does not use this option.
    • Record Status
      Sets the tenant to Active or Inactive.
    • Parent Tenant
      Specifies another tenant above this tenant, making this tenant a subtenant in a tenant hierarchy.
    • Subtenants Allowed
      Allows this tenant to have subtenants. The tenant cannot modify the setting.
    • Tenant Depth
      (Information Only) Indicates the tenant depth of this tenant.
    • Supertenant Group
      (Information Only) Identifies the system-maintained tenant group that contains this tenant and all tenants above it in the tenant hierarchy.
    • Subtenant Group
      (Information Only) Identifies the system-maintained tenant group that contains this tenant and all tenants below it in the tenant hierarchy.
    • Foreign Key Group
      (Information Only) Identifies the system-maintained tenant group that contains tenants that can be referenced from an SREL in data that belongs to this tenant. The foreign key group is the same as the supertenant group.
    • Related Tenant Group
      (Information Only) Identifies the system-maintained tenant group consisting of both the supertenant and subtenant groups for this tenant.
    • Terms of Usage
      Specifies the Terms of Usage statement for the tenant. For more information about creating a terms of usage statement, see Setting Up Terms of Usage.
    • Logo
      Specifies the URL for the tenant logo file, which can be any web image type.
    • Location
      Displays the Location lookup page, which lets you specify a location.
    • Contact
      Displays the Contact lookup page, which lets you specify a contact.
    If no contact is associated with the respective tenant, the Email Address and Pager Email Address fields are inactive.
  4. Click Save.
    The product creates the service provider tenant.
  5. Close the window.
  6. Right-click the Tenant list and click Refresh.
    The Tenant List is updated and displays the service provider tenant.
  7. Log out of CA SDM.
Step 3: Create Tenants
HID_CreateTenant
You use the product to create additional tenants. You can create as many tenants as required to manage multiple separate enterprises that provide support to clients.
Follow these steps:
  1. Log in to the Administrator interface as a member of the service provider. An easy way to do this login is to log in as the privileged user (for example, ServiceDesk). This user automatically belongs to the service provider tenant.
  2. Select Security and Role Management, Tenants on the Administration tab.
    The Security and Role Management, Tenants option is available only when multi-tenancy is installed and in either setup or on mode.
  3. Click Create New.
    The Create New Tenant page appears.
  4. Complete the fields in this page. Some of the fields are self-explanatory. Following fields require explanation:
    • Service Provider
      Identifies whether a tenant is the service provider. The first created tenant is always the service provider, afterward, this check box is read-only.
    • Tenant Number
      (Information Only) Displays the tenant number. CA SDM does not use this option.
    • Subtenants Allowed
      Allows this tenant to have subtenants. The tenant cannot modify the setting.
    • Tenant Depth
      (Information Only) Indicates the tenant depth of this tenant.
    • Supertenant Group
      (Information Only) Identifies the system-maintained tenant group that contains this tenant and all tenants above it in the tenant hierarchy.
    • Subtenant Group
      (Information Only) Identifies the system-maintained tenant group that contains this tenant and all tenants below it in the tenant hierarchy.
    • Foreign Key Group
      (Information Only) Identifies the system-maintained tenant group that contains tenants that can be referenced from an SREL in data that belongs to this tenant. The foreign key group is the same as the supertenant group.
    • Related Tenant Group
      (Information Only) Identifies the system-maintained tenant group consisting of both the supertenant and subtenant groups for this tenant.
    • Terms of Usage
      Specifies the Terms of Usage statement for the tenant. For more information about creating a terms of usage statement, see Setting Up Terms of Usage.
    • Logo
      Specifies the URL for the tenant logo file, which can be any web image type.
    If no contact is associated with the respective tenant, the Email Address and Pager Email Address fields are inactive.
  5. Click Save and close the window.
    The product creates the tenant.
  6. (Optional) Click Tenant Groups to add this tenant to a new group or to an existing one.
Step 4: Assign Tenant Access for a Role
The role of a CA SDM user governs both access authorization and the user interface. The roles available to users depend on their access type. Multi-tenancy lets you control the tenant or tenant group that a user can access within the role. When multi-tenancy is installed, the Role Detail page includes additional options that let you assign or edit tenant access.
You can grant tenant users access to data other than their own. Non-service provider tenant analysts only have access to their own tenant and subtenants. However, you can you update their function access to include the tenant of the analyst. For example, you can define a role to set separate read and write access to certain tenant groups for users within that role.
Follow these steps:
  1. Navigate to Security and Role Management, Role Management, Role List.
    The Role List appears.
  2. Click the role for which you want to assign tenant access.
    The Role Detail page appears and provides Tenant Access and Tenant Write Access drop-down lists on its Authorization tab. Tenant Access is view-only, and Tenant Write Access allows create and update also.
  3. Click Edit.
    The Update Role page appears.
  4. Select options for Tenant Access and Tenant Write Access:
    • Same As Tenant Access
      Sets the access to be the same as the Tenant Access setting. This value is the default for the Tenant Write Access drop-down list and is only available for the Tenant Write Access option.
    • All Tenants
      Removes tenant restrictions. A user in a role with this access can do the following:
      • View any object in the database (read access).
      • Create and update (write access) any tenanted object in the database.
      When a user with All Tenants access creates an object, the user must select the tenant of the new object.
    • Single Tenant
      Sets tenant access for a role to a named tenant. When you select this option, another field appears that lets you select a specific tenant. A user in this role can access only those objects associated with the named tenant.
    • Tenant Group
      Sets tenant access for a role to a user-defined or system-maintained tenant group. After you select this option, another field appears that lets you select a specific tenant group. A user in this role can access only those objects associated with one of the tenants in this group. When a user with tenant group access creates an object, the user must select the tenant for the new object.
    • Contact's Tenant
      Sets tenant access for the role to the tenant of the contact using it. A user in this role can access only those objects associated with their own tenant.
    • Contact's Tenant Group
      Sets role access for an analyst role to the tenant group that the analyst works with, as specified on the contact record for the analyst. If the user with the role is not an analyst, this selection has the same effect as Contact's Tenant. This option is only available for analysts.
    • Contact's Subtenant Group
      Sets tenant access for the role to the subtenant group of the contact using it. A user in this role can access only those objects associated with their own subtenant group.
    • Contact's Supertenant Group
      Sets tenant access for the role to the supertenant group of the contact using it. A user in this role can access only those objects associated with their own supertenant group.
    • Contact's Related Tenant Group
      Sets tenant access for the role to the Related Tenants Group of the contact using it. A user in this role can access only those objects associated with their own related-tenant group.
    • Update Public
      Controls whether a service provider user in the role has the authorization to create or update public data. All users can view public data, regardless of access rights for the current role. Tenant users (users belonging to a tenant other than the service provider) cannot update public data, regardless of their role.
    • Click Save
      Tenant access is assigned for the role. When a user queries the database, the product restricts the results to objects belonging to tenants associated with the role of the user.
Step 5: Create Subtenants
HID_CreateSubTenant
Subtenancy lets you define and modify tenant hierarchies for organizational and data-sharing purposes. To place a tenant into a tenant hierarchy, you assign the tenant a parent tenant.
Follow these steps:
  1. On the Administration tab, select Security and Role Management, Tenants.
    The Tenant List appears.
    The Security and Role Management, Tenants option is available only when multi-tenancy is enabled.
  2. Click an existing tenant to Edit, or click Create New.
    The Tenant Detail page appears, which lets you enter any required data or changes.
  3. Select a Parent Tenant.
    The Parent Tenant drop-down list only displays tenants that are allowed to have subtenants.
  4. Click Save.
    The tenant is a subtenant of the parent tenant.
    Note:
    When a tenant is a subtenant, it belongs to the subtenant group of the parent tenant. The parent tenant joins the supertenant group of the subtenant. Each tenant joins the Related Tenants group of the other.
Step 6: Create Tenant Groups
HID_CreateTenantGroups
A tenant group is a collection of tenants that share access to CA SDM objects. Tenant groups let you classify, manage, and control access to tenants. You can assign a role to a tenant or tenant group. When multi-tenancy is active, the product associates each role with: all tenants (public), a single tenant, or a single tenant group. Use tenant groups whenever a role needs access to more than one tenant. For example, you can assign analysts to a tenant group containing tenants belonging to a particular geographic location.
The product generates and maintains three tenant groups automatically for each tenant in a tenant hierarchy (
tenant
is the tenant name):
  • tenant
    _subtenants (tenant, its child tenants, and their lower subtenants)
  • tenant
    _supertenants (tenant, its parent tenant and its higher supertenants)
  • tenant
    _relatedtenants (entire single hierarchy)
You use the system-maintained tenant groups like user-defined tenant groups. However, you can only change the system-maintained tenant group names and descriptions.
Example: Role A Needs Access to Tenant A, Tenant B, and Tenant J
Instead of assigning the role to each tenant separately, you can do the following:
  1. Create a tenant group, and add Tenant A, Tenant B, and Tenant J to the group.
  2. Assign Role A to this tenant group.
    Users (contacts) assigned to Role A can access the tenant group, which is comprised of Tenants A, B, and J.
Follow these steps:
  1. Log in as the service provider, click the Administration tab, and select Security and Role Management.
  2. Click Tenant Groups.
    The Security and Role Management, Tenant Groups option is available only when multi-tenancy is installed (either on or setup).
  3. Click Create New.
    The Create New Tenant Group page appears.
  4. Complete the tenant group fields and click Save.
    The tenant group is created.
  5. Close the window.
    The Tenant Group List appears.
  6. Right-click the Tenant List and select Refresh.
    The Tenant Group List is updated.
  7. Click Update Tenants on the Tenant Group Detail page and add tenant members to the group.
  8. (Optional) Repeat Steps 3 through 6 for each tenant group you want to create.
Step 7: Change Multi-Tenancy to On Mode
You change changing the Multi-Tenancy option to on mode to make the multi-tenancy implementation function fully. Each tenant then views the implementation as solely for its own use. Each tenant cannot update or view the data of another tenant.
Follow these steps:
  1. Log in to CA SDM as an administrator, and click the Administration tab.
  2. In the tree on the left, click Options Manager, Multi-Tenancy.
    The Option List page appears.
  3. Click multi_tenancy.
    The multi_tenancy Options Detail page appears.
  4. Click Edit.
    The Update Options page appears.
  5. Select setup from the Option Value drop-down list.
  6. Click Edit.
    The Update Options page appears.
  7. Select on (the default) from the following values in the Option Value drop-down list:
    • on
      (Default) Disallows a check-in to a tenant-required table when the tenant is null and an SREL to a table with a tenant is not available.
    • on (warn)
      Writes an error to the log but allows the check-in to proceed when a tenant-required object with a null tenant is created or updated.
    • on (allow)
      Writes a warning to the log but allows the check-in to proceed when a tenant-required object with a null tenant is created or updated.
  8. Click Save, and then Refresh.
    The page displays your changes.
  9. Close the window.
    The Option List page reappears.
  10. Restart services.
    Multi-tenancy is fully functional.
Step 8: Review the Implementation and Correct
Review the multi-tenancy implementation and correct any problems.
Follow these steps:
  1. Log in to CA SDM using the privileged username (typically ServiceDesk).
  2. Click the Administration tab and browse to the Tenant List.
    The Provider shows as Yes for the privileged user in the Tenant Name.
  3. Verify that your multi-tenancy restrictions are enforced by browsing to a Contact List.
    If tenant-required tables incorrectly include untenanted data in a multi-tenancy system, the following message appears in the Contact List:
    AHD05358 There were nn untenanted active Contact objects at CA Service Desk Manager startup.
    If untenanted data is in the database, you can set the multi-tenancy option mode to on (warn) or on (allow). These modes let you update tenant-required tables with a null tenant. This method prevents data loss when a service level agreement (SLA) or attached event executes for a ticket that does not include a tenant.
  4. (Optional) Disable multi-tenancy if problems occur and complete the following steps:
    1. Restore the Domain_Constraint and usp_role tables.
    2. Set the Multi-Tenancy option to the setup mode.
    3. Recycle the system.
    The site can resume previous operations while you correct whatever issues required the reversion.