Guides
Log In
Guides

Configuring Sub-Tenants

Suggest Edits

To configure sub-tenants, do the following:

Create an API Key on the Sub-Tenant

  1. Log in to the sub-tenant application portal and click console.

  1. Navigate to the Identities > API Keys page and click New.

  2. Enter a name for the key and click Save.

  3. Copy the Key-ID, Secret key, and Authorization header and store them. The keys will not be visible once this window is closed.

Set a Super Admin Role for the API Key

  1. Go to the Roles -> Admin page.

  2. Click the Edit icon alongside the Super Admin role.

  1. Assign the Super Admin role to the new API key.
  2. Save your changes.

Configure a Sub-Tenant on the Parent Tenant

  1. Log in to the parent tenant admin portal and click the console icon.
  1. Navigate to the Vaults > Secrets page and click New.
  1. Enter a name for the secret in the Secret Name field.
  2. Set Secret type to API Key.
  1. In the Settings section, enter the KEY ID and Secret Key that you saved.
  2. Click Save.
  1. Optionally, under Labels, you can either create a new label or select an existing one.

Create a Sub-Tenant

  1. Navigate to the Integrations > Sub Tenants page and click New.
  1. Enter a unique name for the sub-tenant in the Setting > Name field.
  2. Click the API Key drop-down menu and select the API key stored in the vault for the sub-tenant.
  3. In the Domain name field, enter the domain name of the sub-tenant.
  1. Select the users or groups you want to grant access to applications on your sub-tenant.
  2. You can also assign admin privileges to selected users for the sub-tenant.
  3. Click Save to save the configuration.

Verify the Sub-Tenant Configuration

After configuration, you will see the sub-tenant page displaying the following information:

To verify the successful integration of the sub-tenant, check for the following:

  • On the parent tenant, a new Cyolo group is created and the selected users are assigned to it.
  • On the parent tenant, a SaaS application is created and the new Cyolo group and selected groups are assigned to it.
  • On the sub-tenant, an external IdP is created along with the dynamic groups, and an admin role is assigned to these groups.

Naming Conventions

  • SaaS Application: The name format is "Ext IdP of [sub-tenant domain name] [6-digit random number]".
  • IdP Integration on Sub-tenant: The name format is "Sub-tenant of [parent tenant's domain name] [6-digit random number]".
  • Administrators Group on Parent Tenant: The name format is "Admins for [sub-tenant domain name]".
  • Dynamic Groups on Sub-tenant: The name format is "Exported groups [group name selected on the parent tenant]".

Updated 3 days ago