Important:The tenant management function is not currently available for general users. Please see contact our Helpdesk before using.
The AWS account monitored by Coati is linked to the management unit called "tenant" to provide a "group" functionality. Group is a management unit that unites multiple tenants. Also, one user can operate on multiple AWS accounts by joining multiple tenants.
Group users manage their tenants through a dedicated Group dashboard.
Tenant users configure and operate within the tenant through a dedicated Tenant dashboard.
Tenant Management Use Cases
The tenant management functionality gives users the following management capabilities.
- A company uses Coati for its end users can create a group
- The company creates a tenant for each end user company
- A management department (e.g. IT) in the company creates a group
- It creates a tenant for each department within the company
Tenant Management Function Details
Create one tenant for each AWS account.
Users can operate and view information on the tenant's AWS account by belonging to the tenant. Users who belong to a tenant are called tenant users. Users may belong to multiple tenants.
Operations allowed for tenant users on the AWS account for the tenant are based on the roles. There are three roles for tenant users; "Administrator," "Operator" and "Viewer."
See below table for relationship between roles and allowed operations for tenant users.
|Obtain the Coati’s monitoring status||✓||✓||✓|
|Access to Zendesk with SSO||✓||✓||✓|
|Assign Webhooks to tenants||✓||✓||✓||Currently not available|
|View event information||✓||✓||✓|
|View instance information||✓||✓||✓|
|Change the instance configuration||✓||✓|
|View service information||✓||✓||✓|
|Change the service configuration||✓||✓|
|Delete users from a tenant||✓|
|Add users to a tenant||✓|
|View tenant information||✓||✓||✓|
|Change the tenant configuration||✓||✓|
|Create a new tenant||✓||✓|
|View tenant user information||✓||✓||✓|
|Change the plan||✓|
|Change user roles||✓|
|Obtain user information||✓||✓||✓|
|Change user information||✓|
|Obtain current usage information (time used)||✓||✓||✓|
|Change the notification settings||✓||✓|
|View the notification settings||✓||✓||✓|
The operations above may be restricted based on the group user described later.
A group collectively manages multiple tenants.
Users in the group (group users) can perform the following tasks:
- Operations for all the tenants in the group
- Add/delete tenants
- Add/delete users to their group
- Change user roles of their group
Operations allowed for group users are determined based on their roles. Group users have three roles; “Administrator,” “Operator” and “Viewer.”
Group user roles and allowed operations are described in the table below.
|Create a new tenant||✓||✓|
|Delete a tenant||✓||✓|
|View the information on group users||✓||✓||✓|
|Register a new group user||✓|
|Delete a group user||✓|
|Change group user roles||✓|
|View a tenant which a group belongs to||✓||✓||✓|
|Create a new tenant in the group||✓||✓|
|View the highest role level for tenant users||✓||✓||✓|
|Change the highest role level for tenant users||✓||✓|
|View privileges allowed for tenants||✓||✓||✓|
|Change privileges allowed for tenants||✓||✓|
|View payee information||✓||Currently not available|
|Create a payee||✓||Currently not available|
|Delete payment method||✓||Currently not available|
|Update payment method||✓||Currently not available|
|Register Webhook URL||✓||Currently not available|
|Access to the support Helpdesk||✓||✓||✓|
- Setting a “Permission” for each tenant for operations
You can delete permission of roles for each tenant by operation.
For instance, a user who is assigned the "Administrator" role for a tenant has a permission to execute the operation "create a new tenant" by default, but a group user can change this permission to "not-authorized" for this operation. The tenant user who is set as “Permission” cannot “create a new tenant” even if “Administrator” role is assigned.
- Configure the Upper limit Role allowed for tenant users
The Upper limit Role is configured for each tenant. By default, the Upper limit Role is “Administrator,” which means that tenant users belong to the tenant may have “Administrator” role at the highest. When a group user changes their highest role level to “operator,” the highest role level assigned to the tenant users should be “operator” (i.e. they can be assigned only “operator” and “viewer”; not “management”).
Group users cannot belong to other groups.
Group users cannot be tenant users.
You cannot change the permission settings for operations on groups.