This section touches upon the initial login aspects for Tenant Admins and non-admin users and the RBAC setup within Palette.
For a Tenant admin, the password shall be set upon the initial login. The Tenant admin can add non-admin users. For all users, login can be made available using the following options:
- Using Palette credentials on the login page.
- SSO using Identity Providers that use SAML 2.0:
- Azure Active Directory
- Okta
- Keycloak
- OneLogin
- Microsoft ADFS
- Others
Palette allows the users that have been added to be allowed or restricted access to resources based on the roles set by the tenant admin. This Role-Based Access Control is explained in detail in the RBAC page.
The Tenant admin can allow or restrict access of resources to users which can differ as per the scenario. A user can have complete access to a specific project but can be restricted access to other projects in which there is no involvement. An intermediate stage is also possible where read-only access can be provided in some projects. The Roles and Permissions sections in the RBAC page provide more details on this.
To add a user to a project:
- Sign in as a Tenant admin and go to the Users and Teams section of the Tenant Admin Dashboard.
- Click on the user that you want to enable access to.
- In the Role editor that opens to the side, find the Project Roles section and click Add Role.
- Select the required Project from the dropdown menu and enable the Roles as needed.
Palette is incorporating multi-organization support for its users. With this feature, we provide our users with the flexibility of having a unique email address ID across multiple organizations. Hence, the users can maintain SSO credentials across multiple organizations/tenants.
The key benefits of this feature are:
- The use of a single email address ID across multiple organizations.
- Within an organization, maintain a unique email ID.
- In the case of password-based authentication, the same password is applicable across multiple organizations. The change of password, made under a particular organization, is applied across other organizations to maintain a single password across all organizations.
- The password policy stays independent of organizations/tenants. Each tenant retains individual password policy.
- For SSO-based authentication, for each organization/tenant, the individual identity provider client application can be configured. Hence, allowing the configuration of a single SSO with multiple identity providers across multiple tenants/organizations mapping each client app to a tenant.
- However, for self-sign-up, the unique email address ID is enforced across tenants to avoid conflicts.
- In the Palette console, the users can switch between the organizations/tenants using the Organization drop down menu of the login page.