- First Time Configuration
- Host Administration
- Organization Administration
- Managing Your Organization
- Managing Your Organization License
- Overriding System Email Notifications
- Managing external OAuth applications
- Configuring fine-grained access for confidential apps
- Tenants and services
- Setting up Encryption Key Per Tenant
- Managing tags
- Accounts and Roles
- Licensing
- Notifications
Configuring fine-grained access for confidential apps
As an administrator, you can configure fine-grained tenant or folder permissions for confidential apps, by assigning them to folders or tenants in Orchestrator. An external app gets the permissions required to perform particular operations in a folder or tenant through one or more roles.
An app gets the union of all organization and tenant scopes defined for it.
OR.Machines.Read
scope at the organization level, and View permissions on Folders in the Finance tenant, and nothing defined for the HR tenant in Orchestrator. Here's an overview of
your app's scope and what it can access:
Tenant |
Scope |
---|---|
HR |
OR.Machines.Read
|
Finance |
OR.Machines.Read
OR.Folders.Read
|
External apps need to be assigned directly to a specific tenant and folder, instead of using group assignments.
Organization-level app scopes give access to resources across all tenants and folders in the organizaton.
As an administrator, you can configure fine-grained tenant or folder permissions for confidential apps, by assigning them to folders or tenants in Orchestrator. An external app gets the permissions required to perform particular operations in a folder or tenant through one or more roles.
An app gets the union of all organization and tenant scopes defined for it.
OR.Machines.Read
scope at the organization level, and View permissions on Folders in the Finance tenant, and nothing defined for the HR tenant in Orchestrator. Here's an overview of
your app's scope and what it can access:
Tenant |
Scope |
---|---|
HR |
OR.Machines.Read |
Finance |
OR.Machines.Read OR.Folders.Read |
Deleting either of these scopes leaves the app with access levels according to the remaining scope.
You can use groups to simplify external app management, as groups allow you to manage objects with similar needs together.
External apps need to be assigned directly to a specific tenant and folder, instead of using group assignments.
To grant access to a tenant for an external app or a group of external apps, follow these steps in Orchestrator:
To grant access to a folder for an external app or a group of external apps, follow these steps in Orchestrator:
To remove tenant access for an external app or a group of external apps, follow these steps in Orchestrator: