Provisioning a tenant in IBM Open Data for Industries

To provision a tenant, you use the Partition service to create a partition and to manage the tenant, and then you use the Entitlements service to authorize access to the tenant partition for users and services.

1. Create a tenant identity.
   In IBM® Open Data for Industries, the tenants are labeled by their partition identity. The Partition service API endpoints manage the partition. Use the following request to create a partition.

   curl --location --request POST '{{odi_cpd_url}}/api/partition/v1/partitions/{{tenant_name}}' \
   --header 'data-partition-id: opendes' \
   --header 'Authorization: {{access_token}} \
   --header 'Content-Type: application/json' \
   --data-raw '{
       "properties": {
         "name": {
           "sensitive": false,
           "value": "{{tenant_name}}"
         },
         "complianceRuleSet": {
           "sensitive": false,
           "value": "shared"
         },
         "serviceAccount": {
           "sensitive": false,
           "value": "{{tenant_name}}@ibm.com"
         }    }  }'
   

2. Provision the tenant groups.

   Call the Entitlements service tenant-provisioning endpoint to create all the groups for the newly created tenant. Use the access token of the administrator user.

   curl --location --request POST --url {{odi_cpd_url}}/osdu-entitlements-v2/api/entitlements/v2/tenant-provisioning \
   -H "data-partition-id: {{tenant_name}}" \
   -H "authorization: Bearer {{access_token}}" \
   --data-raw ""
   

3. Provision the default schemas.

   IBM Open Data for Industries has a set of community shared schemas.

   Follow the OSDU Platform documentation to provision the schemas for the newly created tenant.

4. Associate user and service identities.

   User and service identities need to be associated with the newly created tenant.

   Use the following command for each user or service identity and for each role or group that needs to be associated.

   Remember: User and service identities must also have entry to Access Control List (ACL) to be able to associate the ACL roles with the user identities.

   The request header data-partition-id must have the value for the new tenant name, for all the tenant-aware API calls and data management on IBM Open Data for Industries.

   curl --location --request POST '{{odi_cpd_url}}/osdu-entitlements-v2/api/entitlements/v2/groups/{{tenant_aware_group}}/members' \
   --header 'data-partition-id: opendes' \
   --header 'Authorization: Bearer {{access_token}}' \
   --header 'Content-Type: application/json' \
   --data-raw '{
       "email": "{{user_email_id}}",
       "role": "OWNER"
   }'
   

   The role key in the request accepts two values:

   OWNER

   Provides a user with high-level privileges, including the ability to add other users to the same role or group.

   MEMBER

   Provides a user with least privilege access.