Tenants, Applications and Accounts
The Akkess IAM management has three main entities to keep track of: accounts, applications and tenants. These concepts are used to manage the configuration of the system.
An IAM administrator can be given access to each entity.
Account
The Akkess IAM system is managed via an Akkess IAM Account. The account contains all needed support for be able to manage Akkess. You can have one or many accounts.
You typically manage your account via the Akkess IAM Console.
Application
An application is a central concept in Akkess IAM. It is mainly used to track core configurations that is needed for an application to function and supporting features. Each application may have a number of tenants associated with it, and they will share the application configuration.
Characteristics:
- Keeps application wide configuration for supported IdPs, roles, services and firewall rules
- Usually represent one portal or application for the customer
- Can be used for staged rollout of new configurations, for example:
application-1-productionapplication-1-development
Application status
The application status defines what actions that are possible to do with the application.
The status can be changed by an administrator.
Values:
| Value | Description |
|---|---|
ACTIVE | The initial status and allows for tenants to be created and tokens to be issued for said tenants. |
ARCHIVED | The application and its tenants are marked as archived and it is no longer possible to issue any tokens. Any data stored on any tenant is still retained. |
DECOMMISSIONED | The application is decommissioned and it is no longer possible to issue any tokens. Services that hold any data for its respective tenants may begin to purge related data. |
Tenant
A tenant is logical separated unit. Each tenant comes with a globally unique Id. The Id is referenced in the token and can be used for separate data own by one tenant from data owned by another tenant.
NOTE 1 An IAM Tenant in Akkess account is just a logical entity to make it possible to manage its configuration. When managing a IAM tenants configuration you need an Akkess IAM Account token. When you start adding actual users to your own application you will do that with an IAM Token that is issued for your tenant. That is not the same as the IAM Account token.
NOTE 2 Using the Akkess IAM account token, you cannot access data like actors and nodes that your application has added to a tenant. For this your need to issue an IAM token for the wanted tenant.
The application is logical entity keeping the configurations from the tenants. Actors and nodes are associated with the tenant they belong to. Two tenants cannot share data. An IAM token can only access one tenant.
Characteristics:
- Any issued tokens is tenant bound
- Logical separation of data for actors, nodes and other entities
- Can be used for multi-tenancy where each tenant has its own data but share application configuration, for example:
customer-1customer-2
Tenant status
The tenant status defines what actions that are possible to do with the tenant.
The status can be changed by an administrator.
Values:
| Value | Description |
|---|---|
ACTIVE | The initial status and tokens to be issued. |
INACTIVE | The tenant is inactive and it is no longer possible to issue any tokens. Can be used for temporarily lock a tenant. |
ARCHIVED | The tenant is archived and it is no longer possible to issue any tokens. Any data that belongs to the tenant is still retained. |
DECOMMISSIONED | The tenant is decommissioned and it is no longer possible to issue any tokens. Services that hold any data for said tenant may begin to purge related data. |
Administrator
An Akkess IAM Administrator is user in the system which can manage configuration and other administrators.
Characteristics:
- Manage account, application and tenant configurations
- Manage other administrators
- Enroll end users into respective tenants
Available roles:
ACCOUNT_OWNER- Each account must have an ownerACCOUNT_ADMINISTRATOR- Top level administratorAPPLICATION_ADMINISTRATOR- Allowed to manage application and its tenantsTENANT_ADMINISTRATOR- Allowed to manage a specific tenant