Tenant Overview

RAMP supports multi-tenant deployments where a single installation serves multiple organizations. Each tenant has fully isolated data, authentication providers, and configuration. Tenant Administrators manage the infrastructure that supports these tenants without accessing their content.

What is Multi-Tenancy?

In a multi-tenant RAMP deployment, each tenant represents an independent organization or business unit. Tenants share the same RAMP application and database but are completely isolated from one another:

• Data isolation — templates, instances, systems, and all operational data belong to a single tenant and are invisible to others.
• Authentication isolation — each tenant can configure its own identity providers (LDAP, OIDC, Windows Auth, or RAMP Native).
• Configuration isolation — SMTP settings, date formats, language preferences, and feature toggles are configured per tenant.
• User isolation — users belong to one or more tenants, and their roles and group memberships are scoped to each tenant.

Note

Multi-tenancy must be enabled in the system configuration (MultiTenant.Enabled = true). When disabled, RAMP operates as a single-tenant application.

Tenant Administrator Role

The TenantAdministrator is a special application-level role dedicated to managing tenant infrastructure. This role is completely separate from the regular Administrator role used within a tenant.

What Tenant Administrators can do:

• Create, edit, activate, deactivate, and delete tenants
• Configure authentication providers per tenant
• Configure SMTP email settings per tenant
• Manage users and groups within each tenant
• Assign application roles to users and groups within tenants
• Map external identity provider groups to RAMP roles
• Manage shared users across tenants
• View audit logs for all tenant administration actions

What Tenant Administrators cannot do:

• Access any tenant content (templates, instances, systems)
• Log in through the regular RAMP login page
• Modify template or instance data in any tenant

Caution

TenantAdministrators manage infrastructure only. They have no visibility into operational content within any tenant. This separation is enforced at the authorization level and cannot be overridden.

Accessing Tenant Administration

Tenant Administration uses a separate login page from the regular RAMP application.

1. Navigate to /_tenantadmin/login in your browser.
2. Log in with your TenantAdministrator credentials. Supported authentication methods include:
   • RAMP Internal — username and password
   • OIDC — if an OIDC provider such as Keycloak or Azure AD is configured
   • LDAP — if an LDAP directory is configured
   • Windows Auth — if Windows Integrated Authentication is enabled
3. After successful authentication, you will see the Tenant Admin Dashboard with an overview of all tenants.

Tenant Lifecycle

A tenant goes through the following lifecycle stages:

Creating a Tenant

When you create a new tenant, you define the foundational settings that determine how users access it.

1. Navigate to Tenants and click Create Tenant.
2. Fill in the required fields:
   • Name — a display name for the tenant (e.g., “Acme Corporation”)
   • Slug — a URL-safe identifier used in routing (e.g., “acme”)
   • Domain — an optional domain for domain-based routing (e.g., “acme.ramp.example.com”)
   • Description — an optional description of the tenant
3. Optionally create an initial administrator user for the tenant.
4. Click Create.

Active State

Once created, a tenant is active by default. Active tenants allow users to log in and work with their assigned content. This is the normal operating state.

Deactivating a Tenant

Deactivating a tenant blocks all user logins for that tenant. Existing sessions may continue until they expire, but no new logins will be accepted.

To deactivate a tenant:

1. Navigate to Tenants and click on the tenant.
2. Use the Status toggle or click the Deactivate button.

Deactivation is reversible. You can reactivate a tenant at any time by toggling the status back to active.

Deleting a Tenant

Danger

Deleting a tenant permanently removes all data associated with it: users, groups, templates, instances, systems, and configuration. This action cannot be undone.

1. Navigate to Tenants and click on the tenant.
2. Click Delete.
3. Confirm by typing the tenant name exactly as displayed.
4. Click Confirm Delete.

URL Routing

RAMP supports two routing strategies for multi-tenant deployments:

Slug-Based Routing

Each tenant is identified by its slug in the URL path. For example, if a tenant has the slug acme, its URLs will be prefixed with /acme/.

Domain-Based Routing

When a domain is configured for a tenant, users can access that tenant directly via the domain name. For example, acme.ramp.example.com would route directly to the Acme tenant without needing a slug prefix.

Tip

Domain-based routing requires DNS and reverse proxy configuration outside of RAMP. Ensure your infrastructure routes the configured domains to your RAMP installation.

Default Tenant

In multi-tenant deployments, one tenant can be designated as the default. When users access RAMP without specifying a tenant slug or domain, they are directed to the default tenant’s login page.

Next Steps

Once a tenant is created, you will typically:

1. Configure authentication providers for the tenant.
2. Set authentication behavior such as the default IDP.
3. Configure SMTP for email notifications.
4. Create users and groups within the tenant.
5. Map external IDP groups if using LDAP or OIDC.

Related topics

Auth Providers Configure per-tenant authentication providers including OIDC, LDAP, and Windows Auth

Tenant Settings Manage tenant name, slug, domain, status, and deletion

Users & Groups Create users, organize into groups, and assign roles within a tenant