MSP Multi-Tenancy Overview¶
Section: MSP Multi-Tenancy | Article 36
Audience: MSP Administrators, System Administrators
Last Updated: 2026-04-07
What Is Multi-Tenancy?¶
Multi-tenancy allows a single RP-PAM installation to serve multiple independent organizations (tenants) from one management plane. This is designed for Managed Service Providers (MSPs) and large enterprises with autonomous business units that need centralized PAM infrastructure with strict data isolation.
Each tenant operates as if they have their own dedicated RP-PAM instance, while the MSP administrator manages the shared infrastructure from a single console.
How Isolation Works¶
RP-PAM enforces isolation at multiple layers to ensure that tenants can never access each other's data.
Database Isolation¶
Each tenant gets its own dedicated database (or schema, depending on engine):
| Engine | Isolation Model | Example |
|---|---|---|
| PostgreSQL | Separate database per tenant | rppam_tenant_acme, rppam_tenant_contoso |
| MSSQL | Separate database per tenant | RPPAM_Tenant_ACME, RPPAM_Tenant_Contoso |
There is no shared data between tenant databases. Queries are routed at the connection level — RP-PAM connects to the correct tenant database based on the authenticated context.
Encryption Isolation¶
Each tenant has its own encryption hierarchy:
| Key Level | Scope | Purpose |
|---|---|---|
| KEK (Key Encryption Key) | Per tenant | Wraps all CEKs for that tenant |
| CEK (Content Encryption Key) | Per tenant, per purpose | Encrypts vault entries, credentials, and secrets |
| MEK (Master Encryption Key) | Global (MSP-level) | Protects the KEK store; managed by the MSP |
A compromise of one tenant's KEK does not expose any other tenant's data.
Network Isolation¶
- Each tenant's API requests are scoped by tenant context (derived from authentication token).
- Portal sessions are tenant-scoped — a user authenticated to Tenant A cannot see or interact with Tenant B resources.
- Module connections (AD, SSH, database) are configured per-tenant and operate independently.
What MSP Admins Can and Cannot See¶
| Capability | MSP Admin | Tenant Admin |
|---|---|---|
| List all tenants | Yes | No (own tenant only) |
| View tenant health and status | Yes | Own tenant only |
| View tenant users | No | Yes |
| View tenant vault entries | No | Yes (with permissions) |
| View tenant audit logs | Metadata only (event counts, timestamps) | Full detail |
| Manage tenant modules | No (tenant configures their own) | Yes |
| Provision / suspend / deprovision tenants | Yes | No |
| View billing and license usage | Yes | Own tenant only |
| Access break-glass for a tenant | No (tenant break-glass is tenant-scoped) | Yes |
| Manage global infrastructure (HA, updates) | Yes | No |
Key principle: MSP admins manage infrastructure and tenant lifecycle. They cannot see tenant secrets, vault contents, or detailed audit data. This is enforced at the API layer and cannot be overridden.
License Requirement¶
Multi-tenancy requires the RP-PAM MSP Edition license. The standard Enterprise license does not include multi-tenancy features.
| Feature | Enterprise License | MSP License |
|---|---|---|
| Single-tenant deployment | Yes | Yes |
| Multi-tenant management | No | Yes |
| Tenant provisioning API | No | Yes |
| Per-tenant billing events | No | Yes |
| Per-tenant database isolation | No | Yes |
| Maximum tenants | 1 | Unlimited (per license tier) |
To check your current license type:
PowerShell:
$response = Invoke-RestMethod -Uri "https://rppam.corp.local:7101/api/v1/admin/license" `
-Headers @{ Authorization = "Bearer $adminJwt" }
$response.edition
curl:
curl -s "https://rppam.corp.local:7101/api/v1/admin/license" \
-H "Authorization: Bearer $ADMIN_JWT" | jq '.edition'
The response will show "enterprise" or "msp". If you need to upgrade, contact Ravenphyre Support.
Architecture Diagram¶
+-----------------------------+
| MSP Management Plane |
| (Tenant lifecycle, billing) |
+-----------------------------+
|
+----------------+----------------+
| | |
+---------+---+ +---------+---+ +---------+---+
| Tenant A | | Tenant B | | Tenant C |
| Database | | Database | | Database |
| KEK + CEKs | | KEK + CEKs | | KEK + CEKs |
| Modules | | Modules | | Modules |
| Users | | Users | | Users |
+-------------+ +-------------+ +-------------+
All tenants share the same RP-PAM service process and API endpoint. Isolation is logical, enforced by the authentication and data layers.
Limitations¶
- Cross-tenant operations are not supported. You cannot create a grant that spans two tenants.
- Tenant users cannot belong to multiple tenants. If a person needs access to two tenants, they need separate accounts in each.
- Module configurations are per-tenant. Each tenant configures their own AD, SSH, and database modules independently.
- Global RP-PAM updates affect all tenants. There is no per-tenant versioning. Patches and upgrades apply to the entire installation.
Next Steps¶
- Tenant Provisioning — Create new tenants
- Tenant Management — List, suspend, reinstate, and deprovision tenants
- License Activation (Online) — Activate or upgrade your license
RP-PAM v1.0.0 — Copyright 2026 Ravenphyre. All rights reserved.