The user-role-tenant model in Pyramid uses the classic multi-tenant approach: users, content and data within a tenancy cannot be accessed by other users in another tenancy. However, this can be altered with "Cross Tenancy" options. In some respects, cross-tenancy breaks the classic tenant concept, however, there are scenarios where customers would like to use tenants with a few "exceptions". Cross tenant content and roles are switches to enable such exceptions.
Cross Tenancy options must be enabled in the admin console to be accessible.
Cross Tenant Content vs Cross Tenant Roles
Cross tenant content is useful for having the same content seen and accessible by different tenants without having to create duplicates. It works by explicitly adding multitenant roles to content or folders and can only be set and managed by ENTERPRISE admins.
Cross tenant roles, on the other hand, delivers similar functionality to cross tenant content, by allowing users to join roles outside of their own tenant - but the settings are attached to the role, rather than the content. As such, it can be extended to data security and any future content and it allows DOMAIN admins to add and remove users, from outside their domain / tenancy, to existing roles without Enterprise admins. This is useful for on-going management of common content and data elements in a deployment at the domain level.
Enterprise Admins have the ability to grant access to content to roles belonging to different tenants.
When the Enterprise Admin creates a folder under Public Content, they can grant access to roles from every tenant to that folder. Users with those roles will then have access to the folder as well.
The ability to create and open cross-tenant content depends on the user type:
- Enterprise Admins will see all content added to the folder, and they can add content to the folder that will be visible to all the specified roles, regardless of which tenant they belong to
- Domain Admins can save content to a cross-tenant folder, but the content they save will be visible only to roles within their own tenant that have access to the folder. Domain Admins can also disable access to the cross-tenant folder for roles from their own tenant.
- Non-Admin users can add content to a cross-tenant folder, but they cannot make that content accessible to roles outside of their own tenant (even if those roles have access to the cross-tenant folder)
You can also apply cross-tenancy to existing folders by opening their metadata panel and selecting the Roles panel. Cross-tenant folders are easily recognizable by their icon (shown below).
Cross tenant roles can be enabled from the Multitenancy panel under Settings in the Admin console. If this feature is enabled, Domain Admins can add and remove users from outside their domain / tenancy, to existing roles in the admin console. Once set, these roles can be used as normal in the system to share content and data.