Skip to main content
Start a Conversation

This post is more than 5 years old

Solved!

Go to Solution

Uehara Y.

Community Manager

 • 

4.9K Posts

594

December 18th, 2014 23:00

Can a member (or members) of a tenant approver group approve multiple tenant users?

Hi,

My question is "Is it possible that a user becomes a tenant approver of multiple tenants and provides approvals to users in each tenant?"

What we'd like to do is as follows. In this example, can admin01 approve users in both Tenant A(dev-group-a) and Tenant B(dev-group-b)?

wanttobe.png

We've tested five patterns.

Test 1

All the users were in an AD domain. There were three groups. AD and ViPR settings were as follows. In this case, Both admin01 and admin02 never received request from any users in Tenant A(dev-group-a) and Tenant B(dev-group-b).

test1.png

Test 2

We added dev-group-a attribute to admin01. admin01 could approve users in Tenant A(dev-group-a) but admin02 never got any request from users.

test2.png

Test 3

We tried to put approver(admin01) into all the three groups. However, we could not make it with error:"User sds-admin01@xxxxx.com does not map to any tenancy" when adding the third group right to admin01.

test3.png

Test 4

We added admin-group into the Tenant B setting of ViPR. Both admin01 and admin02 could approve requests from Tenant B(dev-group-b) but never received any request from Tennant A(dev-group-a).

test4.png

Test 5

We tried to add admin-group into both Tenant A and Tenant B. However, we could not make it with redundant error.

test5.png

It seems a member (or members in a group) cannot approve multiple tenant users but users in "a" tenant. Is this as designed?

Brion2

154 Posts

December 22nd, 2014 08:00

Hi Uehara.  In a multi-tenant environment, a User Group or an individual User may only be a member of one tenant.  If a User exists in 2 different Groups and you add those Groups to different Tenants, then that User account will not be able to access ViPR.  You will see the error that you indicated.  "User sds-admin01@xxxxx.com does not map to any tenancy."

In the current security design, you will not be able to give a Tenant Approver to a User account that can approve orders across multiple Tenants.  You will need a User in each Tenant that has the Tenant Approver role.

I hope this helps.

-Brion

Uehara Y.

Community Manager

 • 

4.9K Posts

December 23rd, 2014 15:00

Hi Brion-san,

Thank you for your perfect answer! I understood the spec.

View More

View All

No Events found!

Top