Skip to main content

Tenant onboarding

Bringing a new tenant onto Atlas means creating an isolated environment: a Keycloak realm, a tenant record, provider credentials, an active ontology schema, and the risk configuration the tenant needs. Because isolation is enforced by RLS, getting the tenant identity right is the foundation everything else rests on.

Onboarding flow

Steps

  1. Keycloak realm & client. Create the tenant's realm and the Atlas client. The realm name and client id correspond to the KEYCLOAK_REALM / KEYCLOAK_CLIENT_ID conventions; see docs/operations/keycloak-client-config.md in the repo for the exact client settings.

  2. Tenant record & slug. Register the tenant (via tenant_router) with a URL slug. The Console resolves the slug to the realm at login (GET /api/tenants/resolve). See Frontend → tenant resolution.

  3. Users & roles. Create users in the realm and map Keycloak groups to Atlas roles (admin, analyst, viewer, workflow_editor) using the AUTH_*_GROUPS mappings. See Authentication.

  4. Credentials. In Studio → Data Providers / Settings, add the tenant's provider API keys (KVK, NorthData) and LLM key. These are stored AES-GCM encrypted and resolved per tenant; without them the provider router returns 424. See Plugins.

  5. Ontology schema. Ensure an ontology version is active for the tenant (Studio → Ontology). The active schema must be compatible with the bundled plugins or boot-time validation will reject it.

  6. Risk configuration. Author or assign risk matrices and dynamic risk categories for the tenant's policy.

  7. Data segments. Define any compliance data segments (Settings → Segments).

  8. Verify. Run a test investigation and confirm: data appears only under this tenant, a report generates, and a second tenant cannot see the new tenant's records (expected 404).

Isolation checklist

The decisive check is cross-tenant isolation: from another tenant, requesting a record that belongs to the new tenant must return 404, proving RLS is in force. If it doesn't, stop and review the tenant context binding before going live.

For the canonical step list and any tenant-specific scripts, see docs/TENANT-ONBOARDING.md in the repository.