Nuxeo Platform User Documentation

Nuxeo Multi-Tenant

Updated: March 2, 2017 Page Information Edit on GitHub

Nuxeo Multi-tenant enables to have domains, or tenants, that are independent from each other, with their own users, vocabulary values etc.

It is possible to have several domains on the default Nuxeo Platform without using Nuxeo Multi-tenant, but they all share the same vocabularies definition and users. This means that when users configure the access to a workspace, for instance, and search for users, they can see all the users of the application. Nuxeo Multi-tenant modifies this behavior and enables domains to be completely isolated from each other, including their users and vocabulary values. The tenant structure is the same as the default domain on a default Nuxeo Platform application.

Isolated Items

Once tenant isolation is activated (see below), the following items are isolated and can only be seen from their tenant:

  • Users
  • Groups
  • Vocabularies (I10subjects and I10coverage)
  • Search forms
  • Documents

Global Administrator vs Tenant Administrator

The multi-tenant addon adds the notion of global administrator and tenant administrator to the Nuxeo Platform.

Global administrators are technical administrators in charge of the configuration of the whole application through the Admin tab. The Administrator default user is a global administrator. For instance, they can install updates and new modules to the Platform, restart the server, configure the Platform so it can be accessible from other applications, etc.

Tenant administrators are functional administrators who have access to a "light" version of the Admin tab. They are the powerusers of the tenant. From there, they can create and edit users and group, and modify vocabularies. Their changes are applied to their tenant only, instead of the whole application.

Activating Multi-Tenancy

Multi-tenancy is not automatically available on your Nuxeo Platform after the package has been installed. You need to activate it.

To activate multi-tenancy:

  1. In the Admin tab, click on the Tenant isolation tab.
  2. Click on the Enable button. Tenant isolation status goes to "enabled". You can now create new tenants.

Creating a New Tenant

Only global administrators can create new tenants.

When a global administrator creates a new tenant, he needs to define some elements of local configuration.

To create a new tenant:

  1. On the page "Domains of the default server", click on Create a new domain.
  2. Fill in the creation form.
    • Give the tenant a title and optionally a description.
    • Select the presentation of content lists in the domain.
    • Select which document types should be available or not in the tenant.
    • Select the search forms that should be used in the tenant.
  3. Click on Create.
    The Content tab of the new tenant is displayed.
    The tenant is accessible by administrators only. You now need to define who the tenant administrator(s) is or are.

Defining the Tenant Administrator

Tenant administrators can create new users and manage access to the tenant. They can also edit vocabularies to customize the metadata values.

When the tenant is just created, the global administrator should define at least one tenant administrator, who will then be able to delegate permissions and possibly define other tenant administrators.

It takes two steps to make a user a tenant administrator.

Step 1: Edit the user's properties to associate them with a tenant:

  1. Click on the Admin main tab, and then on the Users & groups tab.
    The members management interface opens on the user directory search form.
  2. Search a user and click on the user's name to open their card.
    The user's card is displayed.
  3. Click on the Edit tab.
  4. In the Tenant ID list, select the domain you want the user to be an administrator of.
  5. Click on the Save button.
    The View tab is displayed with your modifications.
    The user now has access to the tenant. You now need to declare them as an administrator of the tenant.

Step 2: Declare the user as a tenant administrator:

  1. On the domain root, click on the Manage tab.
  2. In the first tab Tenant isolation, type the username, first name or last name of the user you want to be an administrator. The names of the users corresponding to the typed characters are automatically displayed as you type.
  3. Click on the user you want to give permissions to.
  4. Click on Save. The user now has access to the tenant administration and to the Users and groups and Vocabularies tabs of the Admin main tab.
    The user is automatically added in two virtual groups: a powerusers group for functional administration and a tenant administrators group for administration features.

Giving Access to the Tenant

On a default installation of the Nuxeo Platform, permissions are configured so members have read access to the content. This behavior can be modified by changing the permissions.

Users created by the tenant administrators automatically have "Read" access to the tenant. Indeed, they are automatically members of a virtual group that has "Read" right on the tenant. They don't need to be part of the default "members" group, being a member of the tenant is enough to access content.

Tenant administrators can then delegate permissions in the tenant, which will define what the user can do in the tenant.

Defining the Tenant Specific Vocabulary Values

The vocabularies I10subjects and I10coverage are isolated and don't display any value by default once you activated tenant isolation. Tenant administrators should edit the vocabularies to customize the metadata values displayed to the tenant users.

See the Managing Vocabularies page.


6 months ago Solen Guitter Move Adding features section out of JSF UI
6 months ago Manon Lumeau Update User doc with Web UI
6 months ago Solen Guitter LTS 2016 review: ok
7 months ago Solen Guitter Fix related content formatting issues
7 months ago GitHub Update nuxeo-multi-tenant.md
9 months ago Kevin Leturc NXP-19481: Update MarkLogic page to detail how to configure range element indexes
2 years ago Manon Lumeau 27
2 years ago Solen Guitter 26
3 years ago Solen Guitter 25 | Add schema
3 years ago Solen Guitter 24
3 years ago Solen Guitter 23
3 years ago Solen Guitter 22
3 years ago Manon Lumeau 21
3 years ago Manon Lumeau 20
4 years ago Solen Guitter 19
4 years ago Solen Guitter 18 | Removed related topics from TOC and added precision about members group being optional
4 years ago Solen Guitter 16
4 years ago Solen Guitter 17
4 years ago Solen Guitter 15
4 years ago Solen Guitter 14 | Added multi-tenancy activation section
4 years ago Solen Guitter 13
4 years ago Solen Guitter 12
5 years ago Solen Guitter 10
5 years ago Solen Guitter 11 | Migrated to Confluence 4.0
5 years ago Solen Guitter 9
5 years ago Solen Guitter 8
5 years ago Solen Guitter 7 | Added global admin Vs tenant admin section
5 years ago Solen Guitter 6 | Added screenshots
5 years ago Solen Guitter 5 | Added information on access right management in the tenant
5 years ago Solen Guitter 4
5 years ago Solen Guitter 3 | Added related content links
5 years ago Solen Guitter 2
5 years ago Solen Guitter 1
History: Created by Solen Guitter