Tenant-level administration

Tenants, except the default tenant, have their own user and group accounts that can enable access to the Tenant Management Console and HCP management API. The roles available for these accounts are monitor, system, security, and compliance. Tenant security administrators define tenant-level user and group accounts in the Tenant Management Console.

HCP system-level users with the monitor, administrator, security, or compliance role automatically have access to the Tenant Management Console and HCP management API functions for the default tenant. The default tenant does not have user or group accounts of its own.

A tenant-level user with the administrator role can configure an HCP tenant to allow system-level users to manage it and search its namespaces. This enables system-level users with the monitor, administrator, security, or compliance role to log into the Tenant Management Console or use the HCP management API for the tenant. System-level users with the monitor or administrator role can also access the Tenant Management Console directly from the System Management Console. For the default tenant, access by system-level users is enabled automatically and cannot be disabled.

Note

If a tenant-level user account has the same username and password as your system-level user account, you cannot use your system-level account to log into the Tenant Management Console for that tenant. You can, however, access that Console directly from the System Management Console, in which case, you are still using your system-level user account.

After accessing the Tenant Management Console or HCP management API for a tenant that is configured to allow system-level users to manage it and search its namespaces, system-level users can perform the activities allowed by the tenant-level roles that correspond to their system-level roles.

An AD user can belong to AD groups for which corresponding HCP group accounts exist at both the system and tenant levels. When such a user accesses the Tenant Management Console, that user has the roles associated with both the applicable system-level group accounts and the applicable tenant-level group accounts.

When logged in to the Search Console for the default tenant, system-level users with the search role can search the namespaces owned by HCP tenants that are configured to allow system-level users to search their namespaces. These system users can also use the metadata query API to query those namespaces.