- 08 Nov 2022
- 9 minutes to read
What is multitenancy?
- Updated on 08 Nov 2022
- 9 minutes to read
In previous versions of Totara it was possible to support multitenancy using a combination of organisational hierarchies, audiences, dashboards and custom menus to deliver learning and different user experiences to different tenants. While it was possible to organise users into distinct groups, Totara 14 offers more robust and flexible multitenancy functionality.
Segmenting your site into tenants offers a number of benefits and means that different use cases are now possible. For extended enterprise sites, you can use tenants to deliver learning to users outside of your core organisation. For example, you could create a tenant for users in a partner organisation, allowing them to access learning in a separate environment with dedicated administrators.
To get started with multitenancy you can follow these steps and refer to the respective sections of this page:
- If it isn't already enabled then you first need to enable multitenancy on your site.
- Next, create one or more tenants and configure the tenant settings.
- Customise your tenant themes.
- Add existing users or create new users for each tenant.
- Create a system-level audience of tenant members and participants if required.
You can give each tenant a distinct look and feel using Ventura tenant themes. This allows you to brand your tenants based on sub-organisations, teams, or whichever categories you use.
You can also give each tenant its own unique login page by navigating to Quick-access menu > Tenants > Settings, and turning on the Enable pre-login tenant themes setting.
If you wish for users to access the site via a tenant login page then you'll need to give them the specific URL, which always takes the format yoursitename/login/index.php?tenanttheme=tenantidnumber, where tenantidnumber is the tenant identifier used for the tenant. Once you have enabled pre-login tenant themes then ?tenanttheme=tenantidentifier can be added to any URL to specify that tenant theming should be applied before a user logs in. The current tenant theme will also be retained after the tenant user logs out.
After creating your new tenant you can either associate existing users with the tenant or create new users specifically for the tenant. Below we will look at how to do both of these.
Individual users can be Tenant Members or Tenant Participants. Before adding users it is important to understand the difference between these roles:
- Tenant Members: Users can only be a member of one tenant at a time, and their account is managed by the tenant's Tenant User Managers. If isolation mode is turned off then members will be able to see shared spaces in addition to any tenant content, but if isolation mode is enabled then members will not be able to see any parts of the site outside of their tenant. Their access to the site will be suspended if the tenant is suspended.
- Tenant Participants: Non-members (i.e. system-level users) can be assigned as participants of a tenant. These users are not exclusively associated with a specific tenant, but they require access to the tenant. For example, Trainers or external consultants might participate in a specific tenant's courses, meaning they need to be enrolled on relevant courses, programs and certifications, or added to seminar events.
Site Administrators can use HR import to add or update user information in bulk. When multitenancy is enabled Site Administrators can also add tenant information to the User Source.
This field allows you to specify a tenant ID number for the tenant you want each user to be a member of. Users can only be a member of a single tenant.
If this field is enabled you can specify tenant IDs in the tenantmember field in the Field mappings section.
Users can only be set as members or participants of a tenant, not both.
This field allows you to add a comma-separated list of tenant ID numbers for the tenants you want each user to participate in. Users can participate in multiple tenants if required.
If this field is enabled you can specify all tenant IDs in the tenantparticipant field in the Field mappings section.
Users can only be set as members or participants of a tenant, not both.
When a tenant is created an audience is created containing all tenant users (both members and participants). If additional users are later added to the tenant they will be automatically added to this audience. Users are also automatically removed from the audience if they are no longer a tenant member or participant.
The default audience is created at the category level, not the system level. If you wish to create sub-groups of tenant members, you can create a dynamic audience at the system level using Tenant Member as a rule.
In order to manage the Rules tab for a dynamic audience, the Tenant Domain Manager (or another role you choose) will need to be given the totara/cohort:managerules capability.
One additional feature you may want to enable is Tenant isolation. When isolation is not enabled users will be visible across your tenants, making it easier to share content between tenants. This means that site-wide content is visible regardless of the tenant. However, when isolation mode is enabled the content and users in each tenant are completely separate from other tenants. For example, when isolation is turned on users in one tenant will only see course catalogue items for their tenant.
You can turn isolation mode on by navigating to Quick-access menu > Development > Experimental > Experimental settings, then check the Enable tenant isolation setting.
Tenant isolation is an experimental setting, meaning it has not been widely tested for all use cases. We recommend you use a test server for testing experimental features before enabling them on your production site.
Please note that when tenant isolation is enabled legacy performance management functionality and learning plans will not be available.
By default Tenant User Managers and Domain Managers do not have the required permissions to create new user reports. However, global Site Administrators can create and share reports to use for your tenants.
When creating or editing a report you can choose to limit the content of the report based on tenants. To do this follow these steps:
- Create a new report or edit an existing one.
- Navigate to the Content tab.
- To limit the users included in the report to those in the user's tenant, scroll down to the Enforce user visibility restrictions section and enable the Show records based on user visibility rules setting.
- To limit the content of the report, scroll down to the Enforce sitewide visibility restrictions section and enable the Show records based on audience, course and workspace visibility restrictions setting.
- Configure the other settings as required, then select Save changes.
When this setting is enabled tenant members can only see records for members of their tenant in reports, meaning report data is relevant and report data is not leaked across tenants.
Courses and categories
When you create a new tenant you will also create a new category for that tenant. This is intended to be the location of any courses, programs and certifications created for tenant members.
You can create, edit and manage categories for a tenant in the same way you would at the system level in Totara.
If you want a course to be available to users in all tenants on your site you can add it to a system-level category. If required you could create a specific category for this purpose.
Partially supported features
Although many features are well supported for multitenancy in Totara, some currently have limitations. We are constantly working to improve multitenancy and enable more features.
The following Totara features currently have limited multitenancy support, meaning they will work but some aspects might not, or may be limited in how you can apply them.
There is multitenancy support for audiences, however, some underlying features are currently not enabled.
As a Tenant Domain Manager, you will not be able to see the Enrolled learning tab when managing an audience in your tenant. This is because the Tenant Domain Manager role does not have appropriate permissions (as some of the underlying features are not fully supported by multitenancy), which could result in the leaking of permissions and access. We are working to implement these features in a future version of Totara.
Currently, dashboards are supported with multitenancy but with some limitations. As a Tenant Domain Manager or Tenant User Manager, you cannot edit your tenant dashboard.
At Totara, we are always working to improve our platform and your experience.
Currently, some features across the Totara Talent Experience Platform do not support multitenancy. These features may not interact well with multitenancy instances, or may not allow you to add restrictions as you wish. These features include:
- HR import: Can be used to add users as members (single tenancy) and participants (one or multiple tenancies). HR Import is still a centralised feature meaning it can't be used by tenant roles.
- Badges: Tenant roles can only manage course badges. System badge management is currently limited to system-level roles.
- Messaging: When isolation is off there's no hard restriction on users messaging cross-tenancies. With isolation turned on, tenant members only see users from their own tenancy.
- Job assignment: Job assignments can only be managed by system-level roles.
- Learning plans (requires Totara Learn): Learning plans templates can only be managed by system-level roles.
- Legacy 360 feedback: This feature is outdated and has no multitenancy support
- Goals (requires Totara Perform): Tenant members can use goals with isolation turned on, but cannot view company goal details or the associated goal frameworks. Tenant users can create personal goals for themselves or their team. Goal frameworks can only be managed at the system level.
- Organisations: Organisation frameworks are a system-level feature meaning they can only be managed centrally by system-level roles. There's no way to connect organisations to tenancies.
- Positions: Position frameworks are a system-level feature meaning they can only be managed centrally by system-level roles. There's no way to connect positions to tenancies.
- Login as: Tenant members cannot use login as functionality at the moment. However, site-level roles can use login as functionality with all users in the system.
- Competencies: Competencies can only be managed by system-level roles, and cannot be restricted to specific tenants.
- Seminar resources (assets, rooms, facilitators): Seminar assets, rooms and facilitators can only be managed by system-level roles, and will be available to users setting up seminar activities in all tenants.
- Tags: Tags are created and managed at the system level, and cannot be restricted to individual tenants. Tags can only be managed by system-level roles.
- Authentication methods: Authentication methods can only be enabled, disabled and configured at the site-level, meaning they will be available for all tenants if set up. Authentication methods can only be configured by users with relevant roles at the system level.
- System and plugin settings: Any system or plugin settings will apply to all tenants. These settings can only be configured by users with relevant roles at the system level.
- Quick-access menu: A tenant member assigned as Tenant user manager can see the quick-access menu on the site's top navigation bar. However, this menu is hidden from a tenant participant (i.e. not a member) with the same role. To overcome this limitation, all tenant admin actions are available in the administration block on tenant pages.
- Enable multitenancy
- Add a tenant
- Tenant settings
- Assign the Tenant Domain Manager role
- Assign the Tenant User Manager role
- Create new users in a tenant
- Add existing users to a tenant
- Upload users to a tenant
The Totara Academy has a whole course dedicated to using Multitenancy in Totara. Here you can learn more on how to set up and use tenants, see best practice, and give it a go yourself.
© Copyright 2022 Totara Learning Solutions. All rights reserved.