Tenants configurator

Tenants are instances of client sub-organizations that benefit from the Address Group Policy that segments users into separate groups within one global organization. Thanks to such solution, separate tenants can make use of the single instance of a software, but with its data and configuration customized to be applied to the particular tenant only. Furthermore, multi-tenancy solution is most often used by companies hosting Exchange Servers.

By default CodeTwo Exchange Rules Pro works without any division. To enable this feature, use the Tenants configurator (Fig. 1.) which is a standalone tool installed along other components during setup. Thanks to this solution, once the Administration Panel is started the Administrator will be able to choose one to manage appropriate rules.

ER Pro 2.x - tenants configurator
Fig. 1. Tenants configurator window.

CodeTwo Exchange Rules Pro recognizes Tenants based on Active Directory users' attributes. To define them, open the Tenants configurator from the list of installed programs and click the Add button. The configuration window will open (Fig. 2.).

Exchange Rules Pro - Add tenant
Fig. 2. Tenant configuration window.

Define the display name (once the Administration Panel is launched it will prompt to choose which one you want to work with) and then move on to select the LDAP property. There's a wide variety of properties to choose from (Fig. 3). 

ER Pro 2.x - ldap properties context menu
Fig. 3. LDAP properties context menu expanded.

Next, define the comparison type so the program can search for LDAP property for association. There are two types of comparison (Fig. 4.) to choose from:

Exchange Rules Pro - Equals or contains
Fig. 4. Comparison type expanded.

The last step is the definition of LDAP property value. Once all the information is supplied (Fig. 5.), confirm it via OK.

Exchange Rules Pro - Tenant configured
Fig. 5. Tenant configured.

We strongly recommend to use the Organizational Unit assignment of a particular user to define a Tenant. The OU assignment is provided as a part of distinguishedName Active Directory property. An exemplary value of this variable looks as follow: 

CN=AdminMiami,OU=Miami,DC=domain103,DC=lab

Consequently, you need to set the Comparsion type to Contains and fill in the value field with the OU=<your OU> (Fig. 6.). 

Exchange Rules Pro - Tenant assignment via OU
Fig. 6. Tenant assignment using the Organizational Unit.

After clicking the OK button, you should be able to see all defined Tenants in the list (Fig. 7).

ER Pro 2.x - tenants visible on the list
Fig. 7. All Tenants visible on the list.

Info

Please note that you may add, remove or edit entries at any point within the configurator (Fig. 8.).

ER Pro 2.x - add,remove,edit tenants
Fig. 8. Add, remove or edit Tenants.

After the configuration, every time the Administration Panel is opened, you will be prompted to choose the Tenant you want to create the rules for (Fig . 9.).

ExchangeRulesPRO-Tenant1
Fig. 9. Choice of Tenants to connect to after Administration Panel's starts up.

Please note that application's settings are spited into the two following categories:

Thanks to this architecture, you will be able to limit permissions of particular users to a specific entry. However, you will probably also need a user that is able to make modifications globally. Therefore, the best way to achieve that is to enable the Access Rights for every tenant and then assign at least two users - a global administrator (e.g the Built-In Administrator account) which can manage the Access Rights and the tenant administrator with limitations for a particular entry (Fig. 10).

ExchangeRulesPRO-Tenant2
Fig. 10. Rules Access Rights set for a particular tenant, including the Global Administrator and the Administrator assigned only for this tenant.

From now, the administrator assigned to a particular tenant (in our example the miamiAdmin) is unable to connect nor to manage any other, regardless of membership of Domain Admins group. However, please keep in mind, that the visibility of objects in the Active Directory depends on permissions set in the Active Directory. Consequently, you need to modify them if you would like to hide particular objects (e.g. entire Organizational Unit) for specific users. 

See next

Rules tester - this article describes how to use the Rules tester tool to check how your created rules work before implementing them in the production environment.

Was this information useful?