We are attempting to setup tenancy within our organization. We have roughly 40,000+ contact records within the system (general users, etc.). So we would like to apply the tenancy system to ROLES rather than to each individual user.
As such the tenant option is ON but when I log in with a test user in the specific role that I have restricted to a single tenant, I appear to have access to all of the group information still throughout the entire organization.
All of the groups within the system have been set to a particular tenant.
I have created the following tenants:
Each of these tenants have a corresponding role that is attached to them. Indicated above in red.
Essentially if you have the role CONFIDENTIAL MANAGER selected I want to be able to see everything under it listed within the sub-tenants. If I have the role CONFIDENTIAL P1 selected than I want to be able to only see which groups are restricted to that tenant.
However, when I login to the system with TEST USER and the role LEVEL 1 ANALYST is selected which is assigned to a single tenant of GENERAL SERVICES. I can still search and pull up tickets within the group CONFIDENTIAL P1.
I'm not sure if I'm missing an important step along the way?
Any assistance would be appreciated!
Not sure what is your purpose here but multi-tenant setup is to segregate data at contact record level .
This is usefull for MSP's or other provide that need to serve multiple client from one single instance however in a context of a single internal helpdesk, I think you better archive mostly the same segregation at role level using data partition constraints vs. tenant setup.
You can investigate the creation of tenant groups to archive what I have understand from your requirements. but lot of configuration and lot of effort afterwards to maintain may you want to link that at role level.
My 2 cents
Thank you for the provided information.
Initial work with the CA team seems to suggest that single tenancy restrictions should be possible...
I have a meeting at 02:30 PM to work the issue further. I will report back on the findings.
The issue that was experienced above was an easy solution. Forgot to cycle the service. After cycling the service the tenant structure started working as I indicated above.
It is possible to tenant on a role AND NOT just contact based level. The role tenancy has worked well.
It is also possible to use tenant groups to create pathways between different tenants. Assign a common group to a particular tenant. Then create a tenant group assigning both the original tenant and the particular tenant to it. You can assign that particular tenant to all of your individual organizations. That way you can share one group throughout (or multiple).
We also have experienced issues with assigning (all aged) tickets both open/closed to a tenant based upon a particular group. So that we can edit old tickets after tenancy has been applied.
You can do this via:
<Object name="cr"> <TenantRule type="Name">Service Provider</TenantRule> <Where>tenant is null and group=U'CA4963375E920C43B56F2F1119C59B8F'</Where></Object>
<Object name="cr"> <TenantRule type="Name">Service Provider</TenantRule> <Where>tenant is null and group=U'CA4963375E920C43B56F2F1119C59B8F'</Where>
Hopefully this is helpful!