Tenant Provisioning

Administrators for the vendor are responsible for onboarding their tenants using the Configuration Broker. When adding a tenant, the vendor admin must provide the unique ID that identifies the tenant within the vendor’s application. This ID will be associated with all of the tenant’s KMS configurations and will usually be the primary ID that identifies the customer in the vendor’s data stores. This ID will be required by all SDK methods in the Tenant Security Client.

Another step in tenant provisioning is inviting an administrator of the tenant to sign up. From the UI, the vendor admin can enter some basic tenant information, and the Configuration Broker will generate and send the tenant administrator an invitation via email. Alternatively, tenants can be created using the Vendor API.

When the tenant admin receives this email, they can simply click on the included link to be directed to the Configuration Broker, where they enter additional information about the tenant and complete their sign-up. Once they are logged into the Configuration Broker, they can enter their configuration information.

Tenant Logging Configurations

Tenant admins are also able to enter a configuration that allows the TSP to send security events to the tenant’s logging and Security Information and Event Management (SIEM) system. The tenant may already be directing logs from their KMS into their SIEM, but enhanced event details and other events are provided when direct logging is configured. In addition to richer audit trails, configuring a logging destination allows the tenant to continue to receive events after enabling key leasing. The information that is gathered includes everything necessary for the TSP’s logging service (Logdriver) to write logs to the tenant’s SIEM. Like the KMS configuration, the logging configuration is encrypted in the browser before it is saved, protecting it from access by IronCore or the vendor.