Tenants configurator

Tenants are instances of client suborganizations that benefit from the Address Group Policy that segments users into separate groups within one global organization. Thanks to such a solution, separate tenants can make use of a single instance of software, but the software’s data and configuration are customized to suit each particular tenant. Furthermore, multitenancy solution is most often used by companies hosting Exchange Servers.

By default, CodeTwo Exchange Rules Pro works without any division. To enable this feature, use the Tenants configurator (Fig. 1.) which is a standalone tool installed along with other components during the program's setup. Thanks to this solution, once the Administration Panel is started, the administrator will be able to define different tenants that can manage their own sets of rules.

ER Pro 2.x - tenants configurator
Fig. 1. The Tenants configurator.

CodeTwo Exchange Rules Pro recognizes tenants based on the Active Directory users' attributes. To define your tenants, open the Tenants configurator from the list of installed programs and click the Add button. The configuration window will open (Fig. 2.).

Exchange Rules Pro - Add tenant
Fig. 2. Tenant configuration window.

Define the Tenant display name (once the Administration Panel is launched it will prompt you to choose which tenant you would like to work with) and select the tenant's LDAP property. There is a wide variety of properties to choose from (Fig. 3).

ER Pro 2.x - ldap properties context menu
Fig. 3. LDAP properties context menu.

Next, define the comparison type that will be used by the program to associate LDAP properties with tenants. There are two types of comparisons to choose from (Fig. 4.):

Exchange Rules Pro - Equals or contains
Fig. 4. Comparison types.

The last step is definition of the LDAP property value. Once all the required tenant information is supplied (Fig. 5.), confirm it by clicking OK.

Exchange Rules Pro - Tenant configured
Fig. 5. Tenant configured.

We strongly recommend to use the Organizational Unit assignment of a particular user to define a tenant. The OU assignment is provided as part of the distinguishedName Active Directory property. An example of the value of this variable looks as follows: CN=AdminMiami,OU=Miami,DC=domain103,DC=lab.


Consequently, you need to set the Comparison type to Contains and fill in the value field with the OU=<your OU> (Fig. 6.). 

Exchange Rules Pro - Tenant assignment via OU
Fig. 6. Tenant assignment using Organizational Unit.

After clicking the OK button, you should be able to see all defined tenants on the list (Fig. 7).

ER Pro 2.x - tenants visible on the list
Fig. 7. List of all tenants added to the program.

Please note that you may add, remove or edit entries at any point within the configurator (Fig. 8.).

ER Pro 2.x - add,remove,edit tenants
Fig. 8. Add, remove or edit tenants.

After the configuration, every time the Administration Panel is opened, you will be prompted to choose a tenant you want to create rules for (Fig . 9.).

ExchangeRulesPRO-Tenant1
Fig. 9. Choice of tenants to connect to at Administration Panel's startup.

Please note that the CodeTwo Exchange Rules Pro settings are split into the following two categories:

Thanks to this architecture, you will be able to limit permissions of particular users to a specific entry. However, you will probably also need a user that is able to make modifications globally. The best way to achieve that is to enable access rights for every tenant and then assign at least two users - a global administrator (e.g. the built-in Administrator account) who can manage the access rights and a tenant administrator who is limited to particular entries (Fig. 10).

ExchangeRulesPRO-Tenant2
Fig. 10. Rule access rights set for a tenant, with a Global Administrator and an Administrator assigned only for this tenant.

From now, the administrator assigned to a particular tenant (in our example the MiamiAdmin) is unable to connect or to manage any other tenant, regardless of this user's membership in the Domain Admins group. However, please keep in mind that the visibility of objects in Active Directory depends on the permissions set in this particular Active Directory. Consequently, you need to modify them if you would like to hide particular objects (e.g. an entire Organizational Unit) from specific users. 

See next

Rules Tester - this article describes how to use the Rules Tester tool to check how your rules work before implementing them in your environment.

Was this information useful?