name

User model

A10 Harmony Controller supports the Provider-Tenant architecture allowing each configured sub-provider to manage their tenants, users, and corresponding applications. This document explains the Provider Tenant Configuration in A10 Harmony Controller.

Provider-Tenant Model

The Root provider (also known as root administrator) configures all sub-providers, tenants, and users at the highest hierarchy level or the root level. The Root Provider has permissions to create any number of additional sub-providers and tenants. The sub-provider, which is the next hierarchy level, configures tenants and users. At the sub-provider level, the tenant can add a designated tenant administrator who can configure and manage the tenant’s users and applications. Each tenant is entirely independent and cannot access resources (applications and clusters) managed by other tenants.

Hierarchy Levels

The different hierarchy levels in the Provider-Tenant configuration in A10 Harmony Controller include:

  1. Root Provider- At this level you can add the root-level Sub-Provider(s), Tenant(s) and User(s).
  2. Sub-Provider -At this level you can add the sub-provider level Sub- Provider(s), Tenant(s) and User(s).
  3. Tenant Tenants can add users and specific roles like tenant admin to administer its users.
  4. Users- each user will have different roles. For example, a user can be a Tenant Admin and a Tenant User, and also be a root user.

Root Provider Level

name

The diagram below shows the hierarchy levels that the Root Provider can add:

  1. Sub-Providers
  2. Tenants
  3. Users

Provider Tenant Configuration: High Level Diagram

name

Roles and Permissions

There are different roles and corresponding permissions in the Provider-Tenant configuration:

Root User Roles

The root user can have any of these roles:

  • Root user (can be Root Admin)
  • Root level-Tenant Admin
  • Root level-Tenant’s Application admin
  • Root level-Tenant’s user

Administrator Roles

The administrator roles include:

  • Root Level Administrator
  • Provider-level Administrator
  • Tenant Administrator
  • Application Administrator

Sub-Provider User Roles

The users at sub-provider level can have any of these roles:

  • Tenant Admin at the Sub-Provider level
  • Application admin at the Sub-Provider level
  • Tenant user at the Sub-Provider level

This diagram shows the hierarchy levels for the Admin roles in the system.

name

Provider-Tenant High Level Diagram Explaining Different Roles

In the high-level Provider-Tenant configuration, the roles fit in as shown in this diagram.

_images/user-roles.png

Provider Management:

This section provides more information on Provider-Tenant Configuration in A10 Harmony Controller.

  • Creating the Root Provider
  • Adding a Sub-Provider
  • Adding a Tenant
  • Adding/Assigning Users

Creating the Root Provider

The Root Provider is created via the API or a script. Once the Root Provider is created, you can use the UI/ APIs to create other roles/ users. This API or script is usually run at the time of installation of the controller. You can always create a different user and assign him/her root administrator role.

You need to use the script admin.sh. This script takes four arguments.

$ ./admin.sh args: <ip-addres-or-hostnane-of-api-server> <email> <first-name> <last-name>

The email is the email id of the root provider administrator.

Example:

$ ./admin.sh ec2-52-32-93-144.us-west-2.compute.amazonaws.com adsroot@yourcompany.com Joe Walsh

Activating the Root Provider

Once root provider is created, you need to activate the root provider account from the confirmation email, as explained in these steps:

  1. The Root Provider’s email receives a mail with a Activation link.
  2. Click on the Activation link to activate the account. The Select Authentication Mode screen is displayed.

Setting the Authentication Modes

There are three authentication modes displayed in the Select Authentication Mode screen:

  • Inherit from Parent

  • Default Authentication Mode - A10 Harmony Controller administers user management and authentication.

  • LDAP Authentication Mode - Users are authenticated against given LDAP server.

  • Google Authentication Mode - Users are authenticated against the Google sign-in.

    _images/image8.0.png
    _images/image8.1.png

Google Authentication Mode

The A10 Harmony Controller is also equipped with Google authentication mode for customers who are want to authenticate users based on Google login.

Google Sign-in provides OpenID Connect formatted ID tokens and OAuth 2.0 access tokens for further interaction with Google APIs.

The Google API allows an application to perform the following tasks:

  • Detect whether the current user is signed in.
  • Redirect the user to the appropriate sign-in page to sign in.
  • Request the user create a new Google account if they don’t have one already.

Following are the steps to set the Google authentication mode in |HC|

Prerequisite:

The Root Provider gets an account activation email which we will be using in the further configuration steps (Note that, a Google/Google Apps account should be provided during account creation for the sign-in to perform successfully).

  1. Open the activation email, and clicking on the activation link redirects the user to the A10 Harmony Portal authentication page.
_images/image11.0.png
  1. This is the A10 Harmony Portal authentication configuration page with Google Authentication option selected.
_images/image11.1.png
  1. When GCP is selected as the authentication mode, the root provider is on this page where the root provider needs to provide the Google Client ID which can be copied from the Google Cloud Platform page (For more information on generating Google Client ID, refer to the onscreen help provided).
_images/image11.2.png
  1. Enter the Client ID and click Set Authentication Mode. If the root provider is logged out from google account, then the google log in screen pops up for the user to login.
_images/image11.3.png
_images/image11.7.png

5.The Google sign-in is activated successfully.

_images/image11.4.png

6.Click on Sign in Using Google button. The google permission page pops up for the first login, click Allow.

_images/image11.5.png
_images/image11.8.png

7.Log-in is successful.

_images/image11.6.png

LDAP Authentication Mode

Perform these steps to configure LDAP Authentication mode:

  1. Provide the required information in these fields for configuring the LDAP Authentication mode.

image3

  • Comma separated LDAP hosts: Provide the IP Address of the LDAP hosts.

Note

That you need to add the prefix ldap: before the IP Address. Example: ldap://53.24.141.85. If there are multiple hosts, provide comma-separated values.

  • User DN Pattern: This is the Distinguished Name (DN) pattern that is used to directly login users to the LDAP database. This pattern is used for creating a DN string for “direct” user authentication, where the pattern is about the base DN in the LDAP host IP (provided in step 1). The pattern argument {0} will be replaced with the username in runtime.

    Example: uid={0},ou=users,dc=companyname,dc=com

  • LDAP User ID: Provide your LDAP user ID.

  • LDAP Password: Provide your LDAP password.

  1. Select Default Authentication Mode/ LDAP, as required.

  2. Select the second choice Sub-Providers may choose differently Authentication Mode. This allows providers created under the root provider to choose their authentication mode.

    image4

  3. Click Set Authentication Mode. A message is displayed as “Authentication type set up successfully?.

  4. Now, you are asked to set the password.

    _images/image8.2.png
  5. When the password is set, you are redirected to the login page where you need to login with your credentials.

    _images/image8.3.png
  6. You will receive the Welcome email, which contains the Login URL:https://<ui-ip>/#/login/root

  7. After successful login, you are redirected to the Provider Admin Management dashboard.

    image7

    This completes the one-time Root Provider creation process in the A10 Harmony Controller user interface.

Adding a Sub-Provider

The Root Provider can add sub-providers from the Provider Admin Management dashboard in A10 Harmony Portal.

Perform these steps to add a sub-provider in A10 Harmony Portal:

  1. Select Add Sub-Provider in the dashboard to create a sub-provider.

    image8

The Sub-Provider Information window is displayed.

image9
  1. Provide these details in the Sub-Provider Information window:
  • Provider Name Enter the sub-provider name

  • Description? Enter a short description for the sub-provider.

  • Admin Email Address Email Address of the Sub-Provider Admin.

  • Keep User Id same as Email Address Check this option if you want the Sub-Provider Admin’s email address as the Sub-Provider Admin’s User ID.

    Then these fields are displayed:

    • Admin First Name ?Enter the First name of the Sub-Provider Admin.
    • Admin Last Name ?Enter the Last name of the Sub-Provider Admin.

If you want to enter a unique user ID for Sub-Provider Admin, then uncheck the option Keep User Id same as Email Address.

image10

Then, these fields are displayed:

  • Admin User Id Enter the unique User ID for the Sub-Provider Admin.
  • Admin First Name Enter the First name of the Sub-Provider Admin.
  • Admin Last Name Enter the Last name of the Sub-Provider Admin.
  1. Save the Sub-Provider information using the Save button.

    _images/image8.4.png

The Sub-Providers added by the Root Provider are displayed in the Root Provider’s dashboard, as shown in this image.

Deleting/Editing a Sub-Provider

The Sub-Provider(s) can either be deleted or edited using the available dashbord options as shown.

To delete a Sub-Provider click on the TrashBin icon > click Delete when prompted.

_images/image_delete_Provider.png
_images/image_delete2_Provider.png

To edit a Sub-Provider click on the Pencile icon > Edit the fields and click Save.

_images/image_edit_Provider.png
_images/image_edit2_Provider.png

Adding a Tenant

The Root Provider can add its tenants from the Provider Admin Management dashboard.

Note

That the Sub-Provider can add its tenants from its dashboard.

Perform these steps to add a tenant in A10 Harmony Portal:

  1. Select Add Tenant in the dashboard to create a Tenant.

    image12

    The Tenant Information window is displayed.

  2. Provide these details in the Tenant Information window:

  • Tenant Name Enter the name of the tenant.
  • Tenant Admin Email Enter the email address of the Tenant Admin.
  • Tenant Admin First Name Enter the First name of the Tenant Admin.
  • Tenant Admin Last Name Enter the Last name of the Tenant Admin.
  1. Save the Tenant information using the Save button. Then, the Tenant Administrator gets an activation email.

    image14

The tenants added are displayed in the dashboard.

You can view creation of Tenant Admin in the following video snippet.

Deleting/Editing a Tenent

The Tenent(s) can either be deleted or edited using the available dashbord options as shown.

To delete a Tenent click on the TrashBin icon > click Delete when prompted.

_images/image_delete_Tenent.png
_images/image_delete2_Tenent.png

To edit a Tenent click on the Pencile icon > Edit the fields and click Save.

_images/image_edit_Tenent.png
_images/image_edit2_Tenent.png

Viewing Tenant Details

Perform these steps to view the tenant details:

  1. Click on the tenant name in the Provider Admin menu, to view the details.

    image15

    In the <Tenant Name>-Details window, you can view these details:

  • Name The name of the tenant.

Note

That when you click on the hyperlink (name) here, you will be redirected to A10 Harmony Portal view for the tenant. Here new applications can be added.

  • Tenant Type The type of tenant. This can be hosted, managed, or self-managed.

  • Created On The date and time on which the tenant was created.

  • Total Applications The number of applications that are added by the tenant.

  • Users ?The number of users under this tenant.

  • Admins Details of the tenant admin, including the name and email address. There is also an option to revoke access to this tenant. When you click on the hyperlink (email address), you can view the more details of the tenant admin, as shown in the image below:

    image16

Here you can view these details:

  • Name The name of the tenant admin.
  • Email Id—The email id of the tenant admin.
  • State The state of the tenant admin- whether it is active/inactive.
  • Roles This table provides details of the roles assigned to this user (here tenant admin), scope and option to revoke access permissions (if required).
    • Access Level The access level of the user- here it is tenant admin.
    • Scope The scope which indicates the hierarchy under which the tenant is categorized.
    • Action Option to revoke access to the tenant.

Adding/Assigning Users

The Root Provider, the Sub-Provider, and the Tenant can add its users from the Provider Admin Management dashboard.

The steps below are to add a User from Provider Admin Management dashboard:

  1. Select Add/Assign User in the dashboard to create a user.
_images/image8.5.png

The Add/Assign User window is displayed.

_images/image8.6.png

The Add/Assign User screen has three user creation options to choose from as shown:

  1. Add Admin to My Domain: This option allows you to add the user with an Admin role (for example, Tenant Admin) to the hierarchy level.
_images/image8.7.png
  1. Add User to My Tenants: This option allows you to do these tasks:
    • Add the selected user as a tenant to your tenant list and/or
    • Add Application Administrators (a role of Tenant Admin) to your domain.
When you select the option Add User to My Tenants, this window is displayed:
_images/image8.8.png
  1. Add Local User: The Local User provides a fallback mechanism (password authentication method) that enables users to log in to the Root account when no LDAP or GCP authentication servers is available.

Few key points to consider while creating a Local User:

  • The local user can only be created uder Root Provider.
  • The local user will always have a Provider Admin access, and this access can neither be removed or deleted from Local User.
  • The existing local user can be added as a Tenant Admin or Tenant User.
  • The local user creation option is only available when the authentication is set as GCP or LDAP under Root.
  • The local user provides user an option to change password if necesssary.
  • The local user has an option to recover the password if forgotten.
  • The local user profile is specified with a * symbol.
_images/image8.9.png

Adding a selected user as a Tenant Admin

Perform these steps to add the new user as a tenant admin:

  1. Select Add Admin to My Domain option in the Add/Assign User window.

  2. Provide the Email Address of the user.

  3. Click Save to add this user as a tenant admin.

    image21

Adding a selected user as a Tenant

Perform these steps to add the new user as a tenant:

  1. In the Add/Assign User window, select Add User to My Tenants option.

  2. Select the user from the list.

  3. Provide the Email Address of this tenant.

  4. Do not check the option Allow this User to Manage tenant.

  5. Click Save to add this user as a tenant.

    image22

Adding a selected user as an Application Admin

Perform these steps to add a new user as an Application Admin:

  1. In the Add/Assign User window, select Add User to My Tenants option.

  2. Select the user from the list.

  3. Provide the Email Address of this tenant.

  4. Check the option Allow this User to Manage tenant.

    This adds the user as an Application Administrator which is a role at the Tenant Administrator level.

  5. Click Save to add this user as a tenant.

image23

Deleting/Editing a User

The User(s) can either be deleted or edited using the available dashbord options as shown.

To delete a User click on the TrashBin icon > click Delete when prompted.

_images/image_delete_User.png
_images/image_delete2_User.png

To edit a User click on the Pencile icon > Edit the fields and click Save.

_images/image_edit_User.png

Example Scenarios

Suppose the Root User is Company ABC which provides product XYZ as a SaaS offering to its various customers. Here, an ABC customer is someone who has an XYZ account. A tenant is any customer of Company ABC who has its users (who uses XYZ).

image24

In this scenario, the customers are added as tenants. That is, every customer is added as a tenant by the Root User (Company ABC), and is also managed by the Root User. If the tenant wants to manage its users, he can add a user(s) as Tenant Administrators.

Suppose an ABC customer has a requirement where its users have their users. The requirement is that these customers want to manage their users by themselves. Then Company ABC (Root User) adds these customers as Sub-Providers. The Customers (Sub Providers) have the permission to add their users as sub-providers and tenants. In this case, the Root User ABC may not be managing the sub-providers and tenants of Customers’s Sub-Providers/tenants, unless specified by the Customer. Administrators can be added at the tenant level. For example, a tenant can add a Tenant Admin to administer its users.

image27