• Home
• Content Library
• Partner Portal Docs
• Configure Application
• Multi-Tenant App Access Management

Multi-Tenant App Access Management

---

Within the miniOrange multi-tenant portal, applications are configured at the Super Admin (Super Tenant) level and distributed to customer tenants. Access is managed using a combination of user roles, policies, and groups.

User Types in miniOrange

miniOrange defines three key user roles in a multi-tenant architecture:

1. Super Admin (Super Tenant Admin)
• Highest-level administrator.
• Manages applications centrally for all customer tenants.
• Decides which tenants have access to which applications.
• Controls global settings such as branding, app configurations, etc.
2. Customer Admin ( Tenant Admin)
• Administrator for a specific tenant (organization).
• Manages applications and users within a specific tenant.
• Receives apps assigned by the Super Admin and can manage access for tenant end-users.
• Can also add and configure their own applications (specific to their tenant) independent of the Super Admin.
• Manages user groups, authentication policies, and tenant-level branding or IDP mappings.
3. End-User
• A user belonging to a customer tenant (employee of an organization).
• Accesses applications assigned by their Customer Admin or made available by the Super Admin.
• Authenticates either with their corporate IDP (Azure AD, Okta, miniOrange, etc.) or with miniOrange credentials.

Example Use Case:

Business Context

Suppose you are a B2B SaaS platform that provides web-based services to multiple organizational customers. Based on subscription tiers, organizations gain access to different sub-applications within their comprehensive service ecosystem.

Challenge

Your SaaS platform offers tiered services with complex access requirements:

• App1 → included with all subscriptions.
• App2 → available only to Premium Plan customers.

Key Requirements:

• Enable universal access to App1 for all tenant organizations.
• Restrict App2 access to Premium tier subscribers only.
• Maintain seamless authentication through each organization's preferred Identity Provider (IDP).
• Provide Super Admin with centralized control while empowering Customer Admins with delegated user management.
• Allow select Customer Admin tenants to manage their own custom applications.

Solution with miniOrange

• Centralized Configuration:

Your Super Admin configures App1 and App2 once at the global platform level, establishing the foundation for multi-tenant access control.

• Intelligent Distribution:

App1 is automatically distributed to all tenant organizations regardless of subscription tier

App2 is selectively assigned only to Premium-tier tenants based on their subscription status

• Delegated Management:

Your Customer Admins gain granular control within their tenant boundaries:

• Manage end-user access to Super Admin-provided applications
• Add tenant-specific applications (HR portals, CRM systems, local applications)
• Configure role-based permissions for their organizational users
• Unified User Experience:

Your end-users access a consolidated application dashboard displaying:

• Global applications provided by the Super Admin
• Tenant-specific applications added by their Customer Admin
• All accessed through their organization's preferred authentication method

This architecture ensures secure data isolation, maintains tenant-specific access controls, and provides scalable role management across your multi-tenant environment.

Steps to Manage Access for Super Admin

The Super Admin can follow these steps to control application access:

• Login to your miniOrange Super Admin account (Super Tenant)
• Navigate to Apps. Edit the configured Application.



• Go to Login Options and Enable Use Customer's IDP for User option. Click on save.



• Click Manage Access in the Actions column.



• In the Access Management interface, click Assign Customer Admin.



• Select the customers (Customer Admins) who should have access to the application.





• Save the configuration.

Super Admin Access Control for Customer Admin

Once a customer is granted access to the Super Admin application, the Customer Admin can verify and manage access for their end-users as follows:

• Login to the Customer Admin tenant.
• Navigate to Policies -> App Authentication Policy.



• Verify that the Super Admin application policy is present.
• The policy name will be SuperadminApplicationName_superadmin_policy.
• _superadmin_policy suffix should be added to superadmin application
• To manage access:
• Create a Group and assign end-users which you want to give access to superadmin applications.
• Edit/Add the superadmin application policy and assign the group.
• Alternatively, Customer admin can also check the user dashboard if superadmin applications are visible.

End-User Login Flow

End-users under the Customer Admin can login to the Super-Admin added application in two ways:

Option 1: App-Initiated Access

• Start login from the Super Admin application (SP side).
• The Domain Mapping page will appear.



• Enter your Organizational Email or Domain.
• You will be redirected to the configured Identity Provider (IDP) for authentication.
• Login with your IDP credentials.
• Once authenticated, you will be redirected back to the configured application.

Option 2: Login via User Dashboard

• Login to miniOrange using either your External IDP credentials or miniOrange credentials.
• Locate the Super Admin application on your User Dashboard.
• Click on the application to access it.