Skip to main content
A newer release of this product is available.

Creating a tenant account if SSO is enabled

Contributors netapp-lhalbert

When you create a tenant account, you specify a name, a client protocol, and optionally a storage quota. If single sign-on (SSO) is enabled for StorageGRID, you also specify which federated group has Root Access permission to configure the tenant account.

Steps
  1. In the Display Name text box, enter a display name for this tenant account.

    Display names do not need to be unique. When the tenant account is created, it receives a unique, numeric Account ID.

  2. Select the client protocol that will be used by this tenant account, either S3 or Swift.

  3. For S3 tenant accounts, keep the Allow Platform Services check box selected unless you do not want this tenant to use platform services for S3 buckets.

    If platform services are enabled, a tenant can use features, such as CloudMirror replication, that access external services. You might want to disable the use of these features to limit the amount of network bandwidth or other resources a tenant consumes. See “Managing platform services.”

  4. In the Storage Quota text box, optionally enter the maximum number of gigabytes, terabytes, or petabytes that you want to make available for this tenant's objects. Then, select the units from the drop-down list.

    Leave this field blank if you want this tenant to have an unlimited quota.

    Note A tenant's storage quota represents a logical amount (object size), not a physical amount (size on disk). ILM copies and erasure coding do not contribute to the amount of quota used. If the quota is exceeded, the tenant account cannot create new objects.
    Note To monitor each tenant account's storage usage, select Usage. Tenant accounts can also monitor their own storage usage from the Dashboard in the Tenant Manager or with the Tenant Management API. Note that a tenant's storage usage values might become out of date if nodes are isolated from other nodes in the grid. The totals will be updated when network connectivity is restored.
  5. Notice that the Uses Own Identity Source check box is unchecked and disabled.

    Because SSO is enabled, the tenant must use the identity source that was configured for the Grid Manager. No local users can sign in.

  6. In the Root Access Group field, select an existing federated group from the Grid Manager to have the initial Root Access permission for the tenant.

    Note If you have adequate permissions, the existing federated groups from the Grid Manager are listed when you click the field. Otherwise, enter the group's unique name.
  7. Click Save.

    The tenant account is created. The Tenant Accounts page appears, and it includes a row for the new tenant.

  8. If you are a user in the Root Access group, optionally click the Sign in link for the new tenant to immediately access the Tenant Manager, where you can configure the tenant. Otherwise, provide the URL for the Sign in link to the tenant account's administrator. (The URL for a tenant is the fully qualified domain name or IP address of any Admin Node, followed by /?accountId=20-digit-account-id.)

    Note An access denied message is displayed if you click Sign in, but you do not belong to the Root Access group for the tenant account.
Related information

Configuring single sign-on