Skip to content

Commit

Permalink
feat(accounts): Add multi-tenancy docs
Browse files Browse the repository at this point in the history 
Accounts: Add multi-tenancy docs
  • Loading branch information
@ally-sassman
ally-sassman authored Sep 5, 2024
2 parents 0d919f8 + 4bd4638 commit edae71c
Show file tree
Hide file tree
Showing 9 changed files with 744 additions and 0 deletions.
257 changes: 257 additions & 0 deletions ...s/accounts-billing/account-structure/multi-tenancy/delegated-administration.mdx
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,257 @@
---
title: "Step 2: Manage users and access"
metaDescription: "Use the delegated administration options in multi-tenancy to manage user access in other organizations"
freshnessValidatedDate: 2024-09-05
---

When setting up multi-tenancy, you can use delegated administration to make user or access management changes within other managed organizations. In the case of managed service providers, delegated administration allows you to manage users and access on behalf of your end customers.

## Requirements [#requirements]

As a reminder, to use the multi-tenancy feature, make sure you've completed the following for your organization:

1. Get Approval: Contact your account representative to confirm your organization has been added to multi-tenancy. Once approved, you receive the multi-tenant entitlement.
2. Make sure you have correct user types: Users within the managing org that will leverage the above feature set need to be provisioned as either a core or full platform users.
3. Add users to appropriate group: Users with the core or full platform user type need to be added to a group with `tenant_settings` applied.



## What can you call in NerdGraph? [#user-calls]

Once you confirm that you meet the requirements for multi-tenancy, you can call our NerdGraph queries and mutations for managing users in managed organizations.

You'll be able to query all `customerAdministration` fields and execute a variety of mutations:


<CollapserGroup>
<Collapser
id="grant-access-to-group"
title="Grant access to user group"
>
Use this mutation to grant access to a group. To find the `roleID`, see [List roles](#list-roles).

```graphql
mutation {
authorizationManagementGrantAccess(
grantAccessOptions: {
groupId: "11111111-1111-1111-1111-111111111111"
accountAccessGrants: {
accountId: YOUR_ACCOUNT_ID
roleId: "YOUR_ROLE_ID"
}
}
) {
roles {
displayName
accountId
}
}
}
```
</Collapser>
<Collapser
id="revoke-access-to-group"
title="Revoke access to user group"
>
```graphql
mutation {
authorizationManagementRevokeAccess(
revokeAccessOptions: {
accountAccessGrants: {
accountId: YOUR_ACCOUNT_ID
roleId: "YOUR_ROLE_ID"
}
groupId: "YOUR_GROUP_ID"
}
) {
roles {
accountId
displayName
}
}
}
```
</Collapser>
<Collapser
id="create-user-group"
title="Create user group"
>

```graphql
mutation {
userManagementCreateGroup(
createGroupOptions: {
authenticationDomainId: "YOUR_AUTH_DOMAIN_ID"
displayName: "GROUP_DISPLAY_NAME"
}
) {
group {
displayName
id
}
}
}


```
</Collapser>
<Collapser
id="delete-user-group"
title="Delete user group"
>
```graphql
mutation {
userManagementDeleteGroup(groupOptions: {id: "GROUP_ID_HERE"}) {
group {
displayName
id
}
}
}
```
</Collapser>
<Collapser
id="add-user-to-group"
title="Add user to a group"
>
```graphql
mutation {
userManagementAddUsersToGroups(addUsersToGroupsOptions: {groupIds: ["II"], userIds: ["3"]}) {
groups {
id
displayName
users {
totalCount
}
}
}
}
```

</Collapser>
<Collapser
id="remove-user-from-group"
title="Remove user from a group"
>

```graphql
mutation {
userManagementRemoveUsersFromGroups(
removeUsersFromGroupsOptions: {
groupIds: [YOUR_GROUP_IDS]
userIds: [YOUR_USER_IDS]
}
) {
groups {
displayName
id
}
}
}

```
</Collapser>
<Collapser
id="modify-group-name"
title="Modify group name"
>
```graphql
mutation {
userManagementUpdateGroup(
updateGroupOptions: {
id: "YOUR_GROUP_ID"
displayName: "NEW_GROUP_DISPLAY_NAME"
}
) {
group {
displayName
id
}
}
}
```
</Collapser>
<Collapser
id="Create new user"
title="Create new user"
>
Use this mutation to create a new user. To find the `authenticationDomainId`, see
[Query authentication domains](#query-domains).

```graphql
mutation {
userManagementCreateUser(
createUserOptions: {
authenticationDomainId: "B"
email: "[email protected]"
name: "A B C"
}
) {
createdUser {
id
email
name
}
}
}
```
</Collapser>
<Collapser
id="delete-user"
title="Delete user"
>
```graphql
mutation {
userManagementDeleteUser(deleteUserOptions: {id: "ID_OF_YOUR_USER"}) {
deletedUser {
id
}
}
}

```
</Collapser>
<Collapser
id="query-domains"
title="Query authentication domains"
>
```graphql
{
customerAdministration {
authenticationDomains(filter: {organizationId: {eq: "Y"}}) {
items {
id
name
provisioningType
authenticationType
}
}
}
}
```
</Collapser>
<Collapser
id="list-roles"
title="List roles"
>
```graphql
{
customerAdministration {
roles(filter: {organizationId: {eq: "ANY_ORG_ID"}}) {
items {
id
name
scope
type
}
}
}
}
```
</Collapser>
</CollapserGroup>

<UserJourneyControls
previousStep={{path: "/docs/accounts/accounts-billing/account-structure/multi-tenancy/org-creation", title: "Step 1", body: "Create accounts and organizations"}}
nextStep={{path: "/docs/accounts/accounts-billing/account-structure/multi-tenancy/share-accounts", title: "Step 3", body: "Share accounts (optional)"}}
/>
112 changes: 112 additions & 0 deletions ...nts/accounts-billing/account-structure/multi-tenancy/intro-to-multi-tenancy.mdx
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,112 @@
---
title: "Introduction to multi-tenancy"
metaDescription: "The multi-tenancy feature helps you manage multiple organizations and accounts"
freshnessValidatedDate: 2024-09-05
---

If your company is composed of more than one business unit, you can use multi-tenancy to model your company structure in New Relic. This feature allows you to set up multiple tenants (organizations) related to a primary, managing organization.

This structure prevents the leakage of personally identifiable information (PII) and sets secure data boundaries between business units or end customers. You'll benefit from these boundaries whether you have a large enterprise company with multiple, independent business units or a managed service provider (MSP) overseeing customer environments.

<img
style={{ maxWidth: '75%' }}
title="Diagram showing the primary org with two related orgs"
alt="Diagram showing the primary org with two related orgs"
src="/images/accounts_diagram_multi-tenancy-overview.webp"
/>
<figcaption>
This diagram is a simplified example of an enterprise company with two subsidiaries.
</figcaption>

When you set up your company in a multi-tenant environment, your managing organization can take advantage of these benefits:

* Consolidated billing: View aggregate billing details across your managed organizations.
* Managed organization creation: Allows select users within the managing organization to create additional managed organizations. This is useful for MSPs who are onboarding customers or enterprise customers who are acquiring/developing new business units.
* Account sharing: Allows select users within the managing organization to share an account to a managed organization. This is used mostly for collaborative use cases, such as managed services providers (MSPs) providing direct end customer access to the accounts they're monitoring.
* Delegated administration: Allows select users within the managing organization to conduct user and access management administration within managed organizations. This feature is commonly used by MSPs who want to do all the administrative work for their managed customers.


## Requirements [#requirements]

To use multi-tenancy, you need to complete the following for your organization:

1. Get approval: Contact your account representative to confirm your organization has been added to multi-tenancy. Once approved, you receive the multi-tenant entitlement.
2. Make sure you have correct user types: Users within the managing org that will leverage the above feature set need to be provisioned as either a core or full platform users.
3. Add users to a designated group: Users with the core or full platform user type need to be added to a group with `tenant_settings` applied.


## Overview of multi-tenancy approaches [#approaches]

You can set up multi-tenancy in a couple of ways: high touch and low-touch. The approach you choose depends on how much control you want your managing organization to have over the managed organizations. You are not limited to a single approach&mdash;you can combine the high-touch and low-touch options.

### High touch [#high-touch]

Use this approach if you are a managed services provider (MSP) or an enterprise customer who wants a high degree of control over the managed organizations. This approach is mostly used by MSPs who monitor customer data as it flows through customer accounts. MSPs can offer different degrees of high-touch experiences, depending on what their customers need.

**Example**: Let's say you are an administrator in Betty's MSP that's set as a managing organization. You have two customers, Wayne Enterprises and Acme Widgets, who want you to monitor their data for them. They don't want to handle any administrative tasks and don't need direct access to New Relic. To set this up, you create accounts in Betty's MSP that correspond to Wayne Enterprises and Acme Widgets, and you monitor their telemetry in these accounts for them:

<img
style={{ maxWidth: '75%' }}
title="Diagram showing a managing org monitoring customer accounts"
alt="Diagram showing a managing org monitoring customer accounts"
src="/images/accounts_diagram_high-touch-no-view.webp"
/>

Later, users at Wayne Enterprises and Acme Widgets decide they want a more hands-on understanding of what's happening in the accounts you're monitoring for them. To solve this, you create organizations for Wayne Enterprises and Acme Widgets. You then share the accounts from Betty's MSP to their new corresponding organizations. Finally, you provision users in their respective organizations so they can see their data:

<img
style={{ maxWidth: '75%' }}
title="Diagram showing a high-touch structure"
alt="Diagram showing a high-touch structure"
src="/images/accounts_diagram_high-touch-overview.webp"
/>

To create a structure like the one in the diagram above where Wayne Enterprises and Acme want to see their data, you'll make a series of NerdGraph API calls. You can use the steps below as a recipe for modeling your high-touch organization structure:

1. [Create accounts and organizations](/docs/accounts/accounts-billing/account-structure/multi-tenancy/org-creation): As an administrator in Betty's MSP, execute a few mutations to create accounts and organizations.
* Create accounts for Wayne Enterprises and Acme Widgets in Betty's MSP organization by running the `accountManagementCreateAccount` mutation (you'll eventually share these accounts with their corresponding organizations).
* Create the organizations Wayne Enterprises and Acme Widgets by running the `createOrganization` mutation, making sure to pass in the accounts you wanted to share from Betty's MSP:
* As a byproduct of the organization creation calls, Wayne Enterprises and Acme Widgets will have their own default groups and roles created. (If you need more details about groups and roles, see our public docs site.)
* Since you specified the accounts to share, the Wayne Enterprises account is shared with the new Wayne Enterprises organization. Also, the Acme Widgets account is shared with the new Acme Widgets organization.
* We automatically set up access grants from the default groups against the shared accounts as part of the organization creation process.
2. [Manage users and access](/docs/accounts/accounts-billing/account-structure/multi-tenancy/delegated-administration): Execute the `userManagementAddUsersToGroups` mutation to provision users into the default groups of Wayne Enterprises and Acme Widgets.
3. [Account sharing](/docs/accounts/accounts-billing/account-structure/multi-tenancy/share-accounts): Later, if you decide to make account sharing changes, use these mutations to revoke or add new shared accounts.

<Callout variant="tip">
Once this structure is complete and the managed organizations start using the New Relic platform, aggregate usage is visible to you in Betty's MSP for consolidated billing.
</Callout>

When you're ready to create your first high-touch organizations, go to [Step 1: Create accounts and organizations](/docs/accounts/accounts-billing/account-structure/multi-tenancy/org-creation).

## Low touch [#low-touch]

If you're in an enterprise organization that has subsidiaries that run independently with little oversight, this is a good approach to model your organization in New Relic. With this structure, administrators in each organization handle their managed organizations' user and access management. Note that you will still have consolidated billing as part of your multi-tenant environment.

**Example**: Let's say you are an administrator in Clothing Holding Company that is set as the managing organization and want to set up two subsidiaries (Martha's Shoes and Rick's Outerwear). You create the two managed organizations which then allows the administrators of Martha's Shoes and Rick's Outerwear to independently manage their own accounts, groups, and users:

<img
style={{ maxWidth: '75%' }}
title="Diagram showing a low-touch structure"
alt="Diagram showing a low-touch structure"
src="/images/accounts_diagram_low-touch-overview.webp"
/>

To create a structure like the one in the diagram above, you'll make a series of NerdGraph API calls. You can use the example below as a recipe for modeling your low-touch organization structure.

1. [Create accounts and organizations](/docs/accounts/accounts-billing/account-structure/multi-tenancy/org-creation): As an administrator of Clothing Holding Company, create the organizations and accounts for Martha's Shoes and Rick's Outerwear by running the `createOrganization` mutation.
* As a byproduct of the organization creation calls, Martha's Shoes and Rick's Outerwear will have their own default groups and roles created.
* As part of the organization creation process, Clothing Holding Company sets up the initial account for both managed organizations.
2. [Manage users and access](/docs/accounts/accounts-billing/account-structure/multi-tenancy/delegated-administration): Execute some mutations to provision the first admin users.
* This provisions users into the managed organization's `admin` group.
* Since this group has organization management settings enabled, users in this group can conduct user and account management themselves.

When you're ready to create your first low-touch organizations, go to [Step 1: Create accounts and organizations](/docs/accounts/accounts-billing/account-structure/multi-tenancy/org-creation).

## What's next? [#what-next]

If you haven't yet followed the links to the other docs listed in the recipes above, here's a bird's eye view of what you'll be doing to set up your organizations. Use these links to move sequentially between the steps.
<DocTiles>
<DocTile title='Step 1' path="/docs/accounts/accounts-billing/account-structure/multi-tenancy/org-creation">Create accounts and organizations</DocTile>
<DocTile title='Step 2' path="/docs/accounts/accounts-billing/account-structure/multi-tenancy/delegated-administration">Manage users and access</DocTile>
<DocTile title='Step 3' path="/docs/accounts/accounts-billing/account-structure/multi-tenancy/share-accounts">Share accounts (optional)</DocTile>
</DocTiles>
Loading

0 comments on commit edae71c

Please sign in to comment.