POST /tenant-management/api/system/tenants

As of Version product version 2020 Winter | component version 1.0

Request Method POST

Response Format HTTP status code

Required Permission

Available if listed in authorization.accesses in authentication-prod.yml and the specified access condition is matched. In the default configuration, access is granted via the YUUVIS_SYSTEM_INTEGRATOR role.

>> AUTHENTICATION Service

Description

Creates a new tenant with the values for the corresponding parameters specified in JSON format. Required settings for Keycloak and yuuvis® Momentum core are passed as well as custom (= product application) settings.

A Keycloak realm with a name and description is created together with the initial default technial user admin that you can use as a proxy user in your portal for tenant management. The values for name and description can be displayed in the Keycloak Admin Console as Realm Name and Display name as shown in the first screenshot below.
The parameters available for defining Keycloak settings are described in the Tenant Creation Profile article. These parameters determine the settings for each further tenant that will be created. They are optional and the default values lead to the configuration shown below.

In an additional system parameter section, you can specify following parameters:

ips - Boolean value. If true, the tenant is created in the identity provider (only supported for Keycloak).
yuuvis - Boolean value. If true, the tenant is added to the application-oauth2.yml configuration file of the core system.

In the yuuvis® Momentum system, a tenant with the same name will be created as well. No further configurations are set up. For additional configurations like tenant schema or extensions of the role set, a custom microservice can be configured in the profile. It will be called after each tenant creation process and add the defined extending configurations.

After creating a new yuuvis® tenant, the newly created admin user can be used to access the system using the core API, yuuvis® architect, or yuuvis® Momentum client as reference implementation.

Meaning of the response status codes:

HTTP Status Code	Meaning
`201 CREATED`	Successful, the tenant with the `name` has been created.
`401 UNAUTHORIZED`	The call was unauthorized.

Default Configuration for Tenant Creation

Click on a screenshot to view it in its original size.

Realm

The HTML Display name shown in the screenshot defines the yuuvis® theme for the design of the Keycloak login page (left-hand side with the branding and the tenant name).

yuuvis®-themed Keycloak login dialog:

These are the set-up Keycloak login parameters. They affect the login dialog as well.

E-mail

These are the default parameters for e-mail invitations that can be sent to new users.

Password Policy

These are the set-up Keycloak Password Policy parameters:

Roles and Initial User

The following yuuvis roles are set per default for each tenant:

YUUVIS_DEFAULT (briefly: full access to every object via default role set)
YUUVIS_CREATE_OBJECT (briefly: create objects)
YUUVIS_MANAGE_SETTINGS (briefly: save result list column and filter configurations as standard)
YUUVIS_TENANT_ADMIN (briefly: update schema, rolse set, maintain users, ... for the tenant)
YUUVIS_SYSTEM_INTEGRATOR (briefly: update global schemata and role sets for the system, create tenants)

The admin user is created for each tenant with all the above roles assigned.

Client

These are the Keycloak Client parameters that are set for the internal communication with yuuvis® Momentum AUTHENTICATION Service:

The Root URL displayed in the screenshot has to be specified in the management helmchart in the values.yaml file. In the apitm section under client, the rooturl parameter has to be specified. If the tenant name is handled as a subdomain, a placeholder of the following structure can be set: http://${TENANT_NAME}/exampledomain

Request Example

{
  "name": "string",
  "description": "string",
  "displayNameHTML": "string",
  "adminPassword": "string",
  "adminEmail": "string",
  "enabled": true,
  "emailSettings": {
    "host": "string",
    "from": "string",
    "username": "string",
    "password": "string",
    "fromDisplayName": "string",
    "port": 0,
    "enableAuthentication": true,
    "enableSSL": true,
    "enableStartTLS": true
  },
  "systems": {
    "ips": true,
    "yuuvis": true
  }
}

POST /tenant-management/api/system/tenants HTTP/1.1
{

"name": "myTenant",
"description": "production system",
"adminPassword": "Policy:8characters1Capitalletter1special!",
"adminEmail": "admin@mydomain.com"
}

name and description are mandatory.

The adminPassword can be set for the default user admin. The admin user has to be used to create any additional users for the tenant using the user management in yuuvis® architect.

If adminEmail is specified and the smtp e-mail service parameters are set up, an e-mail invitation is sent to this address. Users have to change the password and edit their profile data.

If no e-mail address is specified, you can use a (secure) communication channel of your choice to inform your admin user about how to log in to yuuvis® architect and manage users.

Response Example

201 CREATED

no response body