We're currently working on documenting the new features and improvements in 5.2, ready for its release soon.

Multi-tenancy Technical

From MoodleDocs
(Redirected from Tenant administrator role)
Moodle Workplace
This feature is part of Moodle Workplace™, which is available through Moodle Certified Partners and Service Providers only.
This page is intended for Administrators

Limiting the number of tenants

A site administrator can restrict the number of tenants that can be created on the site from Site administration > Advanced features > Enable tenant limit. By enabling this setting and configuring the Tenant limit to a specific value, you can prevent the creation if more than the specified number of tenants.

It is also possible to add the following lines to your site configuration to hardcode this configuration:

$CFG->tool_tenant_tenantlimitenabled = true;
$CFG->tool_tenant_tenantlimit = <VALUE>;
Note: Archived tenants and the Shared space count towards the tenant limit.


Limiting number of users

A site administrator can restrict the number of users per tenant and/or site-wide:

  • Site-wide: This sets the maximum number of users that can exist on the entire site
  • Per-tenant: This sets the maximum number of users that can exist within any individual tenant

These settings are available under Site administration > Advanced features.

Note: Suspended users count towards user limits!

When the site limit is lower than the number of current users on the site, no new users can be created. Similarly, when the number of users reaches the tenant limit, no new users can be created in or moved to the tenant. To hardcode this configuration, you can add the following lines to your site configuration:

// Site limit.
$CFG->userlimitenabled = true;
$CFG->userlimit = <VALUE>;

// Tenant limit.
$CFG->tool_tenant_userlimitenabled = true;
$CFG->tool_tenant_userlimit = <VALUE>;

Multi-tenancy authentication

Moodle Workplace supports different authentication configurations for each tenant. Currently, the following authentication plugins support multi-tenancy:

Authentication plugins are managed by the administrator. Multi-tenancy awareness is indicated via the Multi-tenant label next to each authentication plugin


There are various places to configure settings for authentication plugins:

  • Site-wide common settings: Navigate to Site administration > Plugins > Authentication > Manage authentication. Site-wide common settings apply to all plugins, where applicable. For example, you can ser "Allowed email domains". Any common settings that can be overridden at tenant-level can be locked using the Force for all tenants settings. Conversely, this can also indicate which settings are configurable per tenant.
  • Site-wide plugin settings: Navigate to Site administration > Plugins > Authentication > Manage authentication > [Plugin] > Settings. Most authentication plugins offer a range of site-wide settings.
  • Tenant-specific common settings: Go to Site administration > Users > Organisation > Manage tenants > [Select tenant] > Authentication > Common settings. Here, you can override the site-wide common settings and adjust them for the tenant at hand.
  • Tenant-specific plugin settings: Access this via Site administration > Users > Organisation > Manage tenants > [Select tenant] > Authentication > [Plugin] > Settings

Any plugin enabled at tenant level that can create new accounts will do so in the tenant where it has been configured. Authentication plugins that fo not support multi-tenancy will create users in the default tenant. To provide a degree of multi-tenant support for authentication plugins that do not support multi-tenancy, a Dynamic rule must be created to allocate users to different tenants based on specific conditions.

Manual accounts

When configuring manual accounts at the tenant level, you can override the predefined lock values for each data field. When Custom is selected, you must choose between the three locking options Unlocked, Unlocked if empty, and Locked.

Email-based self-registration

When configuring email-based self-registration at the tenant level, you can override the predefined lock values for each data field. When Custom is selected, you have to choose between the three locking options Unlocked, Unlocked if empty, and Locked.

OAuth 2

The standard OAuth 2 plugin has been enhanced with a Tenant availability feature. This can be accessed via Site administration > Server > OAuth 2 Services or directly from the tenant settings in the Authentication tab.


A new icon labelled Tenant availability has been added to the actions list. Once selected, you can choose between the following self-explanatory options:

  • This service is available to all tenants (including future ones)
  • This service is available only to the following tenants: <select one or many tenants>
  • This service is available to all tenants except the following: <select one or many tenants>

SAML

Multi-tenancy support for third-party SAML authentication plugin has been added to the Moodle Workplace codebase. You will need to install the plugin before configuring the added multi-tenancy options.

You can limit Identity Providers (IdPs) to individual tenants and also configure fields locking per tenant. The following multi-tenancy features have been added to the SAML plugin:

  • SAML2 appears in the list of available authentication plugins on the tenant page. Individual tenants can enable or disable the plugin and also override field locking.
  • Force for all tenant options have been added to the Data mapping section on the SAML2 configuration page (Site administration > Plugins > Authentication > SAML2).
  • Identity providers in SAML2 can be limited to individual tenants. To access its selection, go to the SAML2 settings on the Authentication tab of a tenant. Then select Manage available Identity Providers (IdPs) from the SAML2 section and press the Edit tenant availability button, where you can choose between the following self-explanatory options: This service is available to all tenants (including future ones), This service is available only to the following tenants..., and This service is available to all tenants except the following....

Login tenant selector

Moodle Workplace offers a site selector on the login and signup pages to help users select the correct tenant on the authentication page. To enable the site selector, go to Site administration > Plugins > Authentication > Manage authentication and enable the setting Show tenant selector on the login page.


Each tenant's visibility of the selector can be configured in the tenant settings (Show this tenant in the login selector). Once enabled, the site selector is shown at the top of the screen after a few seconds after the page loads. When selecting the Change site option, a modal window will open, allowing the user to select an alternative tenant. The display order on the login page can be modified via the Sort order drop-down on tenant management page.


The authentication buttons on the login page are configured in the OAuth 2 services settings. Depending on the tenant availability selection (This service is available to all tenants (including future ones), This service is available only to the following tenants..., or This service is available to all tenants except the following...), different authentication buttons will be shown for different tenant login pages.

Users can login using an email address if their email is not unique across the site, as long it is unique within the tenant selected onn the login screen.

Multi-tenancy domain configuration

In Moodle Workplace, the following tenant domain names (logins URLS) are supported:

  • https://<DOMAIN>/?tenantid=<TENANTID>
  • https://<DOMAIN>/?tenant=<IDNUMBER>

For example, if the internal TENANTID equals 3 and the specified tenant IDNUMBER is set to 'atlantis', the login URLs could be https://workplacedemo.moodle.com/?tenantid=3 and https://workplacedemo-atlantis.moodle.com/?tenant=atlantis

In some setups, it might be required to specify a tenant domain that does not conform to the described standard format. For example, on the demo site, the same tenants can be accessed as https://workplacedemo-kams.moodle.com and https://workplacedemo-atlantis.moodle.com

To facilitate this, the following domain-per-tenant configuration is supported at config.php level:

$CFG->wwwroot  = 'https://workplacedemo.moodle.com'; // Main domain used for site registration and also default domain for the tenants.
$CFG->allowmultipledomains = true;

Once you have modified your config.php, navigate to the Manage tenants page. You will now be able to specify a Custom domain for each tenant. Note: Your web server must be properly configured so that each custom domain points to the directory where its Moodle Workplace codebase is located.

The Custom domain will be used to detect the current tenant and apply the appropriate branding for non-authenticated users.

Emails generated in Moodle Core and Moodle Workplace (such as forum post notifications, completion notifications, forgotten password links, and so on) will use this domain for links back to the site. Please note that add-on plugins may not always support the multi-tenant domains feature.

Note: The Workplace team will continue expanding custom domain support to other product features. For example, currently, login is not restricted to the user's tenant domain. In the example above, a user from the 'Kams' tenant can log in from the 'Atlantis' domain and vice versa. Additional work is also underway to allow third-party providers (such as google, ldap, h5p, badges, etc.) to function across multiple domains.

Important: If you used the 'experimental' multi-domain feature in Workplace 4.0-4.4, you will need to migrate tenant domain configuration.

Tenant roles

Tenant administrator role

The tenant administrator role is created automatically when Moodle Workplace is installed. This role cannot be removed, however the main admin can modify its capabilities.

This role is issued automatically to users assigned as tenant administrators in a Multi-tenancy setting. To assign an administrator to a given tenant, click on the "Edit tenant" icon and select the user under "Management > Administrators".

Tenant administrators can browse, add and edit users, and manage theme settings within their own tenant. They can also create and manage programs, certifications, dynamic rules, custom reports, organisation structure and certificates for their tenants and assign respective roles to other users.

Some core capabilities have been included in this role, for example 'moodle/role:assign', 'moodle/site:uploadusers', 'moodle/site:viewuseridentity', 'moodle/badges:awardbadge', 'moodle/badges:viewawarded'. Even though these capabilities are defined by core, their scope has been limited in Moodle Workplace to users of the current tenant. This means, by default, the tenant administrator will not be able to view, select or assign users outside of their tenant. Examples of interfaces that have been modified:

  • User selector used when manually enrolling users in a course
  • User selector used when assigning roles
  • User selector used when issuing badges

Note that most core capabilities, if granted, would allow the tenant administrator to view or assign all users in the system. If a capability is not included in the default "Tenant administrator" role, it is unlikely to be multi-tenant compatible. Bear that in mind when modifying the "Tenant administrator" role.

Tenant user role

This role is created automatically during the installation of Moodle Workplace. It is automatically assigned to all tenant users in the context of the tenant's course category.

This role by default only allows the moodle/category:viewcourselist capability. As mentioned in the Moodle Workplace Installation page, this capability is removed from the Authenticated user and Guest roles. This means that tenant users can only browse courses in the tenant's course category, and cannot browse courses elsewhere.

The site administrator may decide to allow more capabilities to this role, for example the moodle/course:request capability.

Tenant administrator in course category role

The role is created automatically during Moodle Workplace installation and has the archetype "Manager".

Additionally, it has the capability to browse category courses. This capability is automatically granted to users who are marked as "Tenant administrators" in the Tenant management interface in the context of the tenant's course category. If the user tenant does not have an associated course category, this role is not granted.

Cross-tenant permissions

When assigning system roles, some may be marked as having Cross-tenant permissions. In the example below, two core roles (Manager and Course creator) and one custom role (Tenant designer) are labelled that way.

All Workplace capabilities are tenant-aware, that is permissions, data visibility, and functionality are applied within the context of a specific tenant.

Additionally, there exists a list of non-Workplace capabilities that are considered "safe tenant-aware capabilities": 

'moodle/site:configview'
'moodle/role:assign'
'moodle/site:uploadusers'
'moodle/site:viewuseridentity'
'moodle/site:doclinks'
'moodle/badges:awardbadge'
'moodle/badges:viewawarded'
'moodle/user:viewalldetails'
'moodle/user:viewhiddendetails'
'moodle/reportbuilder:edit'
'moodle/reportbuilder:editall'
'moodle/reportbuilder:viewall'
'moodle/reportbuilder:scheduleviewas'
'moodle/block:edit'
'moodle/my:manageblocks'
'moodle/restore:createuser'

If a role contains any system capability that is set to ALLOW that is neither a Workplace capability nor on the above safe list, then that role is considered to have Cross-tenant permissions. This principle is applied to core roles as well as custom roles.

Tenant data in URL

The URL resource lets users add web links to content pages. If you want allow the inclusion of tenant ID and ID numbers in the list of available URL parameter variables, navigate to Site administration > Plugins > Activity modules > URL and select the Tenant data setting.

Capabilities

The following capabilities are available for handling multi-tenancy:

Retrieved from "https://docs.moodle.org/502/en/index.php?title=Multi-tenancy_Technical&oldid=155213#Tenant_administrator_role"
Powered by MediaWiki