Introduction to module authorization
In a multi-tenant SaaS environment, customers can be allowed their own user administrators and application owners. To facilitate this, tenants and module authorization are available in IAM. By setting up module authorization in IAM, a tenant's access to IAM can be limited or extended.
The combination of both features creates the most powerful option when an application in IAM is created per tenant: the customer's application owner will only be able to choose roles from the allowed modules to assign to user groups within their own tenant.
Keep in mind that the best solution for your organization might be different. Tenants can also be used without the need for module authorization. Likewise, module authorization can be leveraged to limit applications to certain modules without requiring the application to be managed by a tenant directly via IAM.
Roles for module authorization
To leverage Module authorization with tenants:
- A Main administrator or an Application administrator needs to create an application per tenant so the modules can be limited per tenant.
- An Application administrator needs to assign an Application owner to an application.
This way, the Application administrator and Main administrator will be able to see all users and the tenant that a user belongs to.
Check out Administrator roles for more details on the available roles and rights in IAM.
Enabling module authorization
Module authorization can be activated at the application level, and only by a Main administrator or an Application administrator.
menu Authorization > Applications > tab Form
Check the Limited module access box.
Enable module authorization
This activates the tab Module authorization. Open this tab.
Activate or deactivate modules for the application.
Role availability in module authorization
Module authorization directly impacts the available roles that may be assigned to user groups for this application:
- Roles that are not a part of a module are always available.
- Roles that are part of at least one authorized module, are also available.
- So, if a role is only a part of unauthorized modules, it is not available.
Role availability can be checked in the menu Authorization > Applications > tab Authorization > tab Roles.
The membership of a role outside of the granted modules will be inactivated, not deleted. Accidentally removing a module from an application and restoring it afterward is not a problem.