Tenant Provisioning¶
Section: MSP Multi-Tenancy | Article 37
Audience: MSP Administrators
Last Updated: 2026-04-07
Overview¶
Tenant provisioning creates a new, isolated tenant within your RP-PAM MSP deployment. Each provisioned tenant receives its own database, encryption keys, and configuration space. Provisioning can be performed through the web portal or the REST API.
This article covers both methods and explains what happens during the provisioning process.
Prerequisites¶
- MSP Edition license — Multi-tenancy requires the MSP license. See MSP Overview.
- MSP Admin role — Only users with the
msp-adminrole can provision tenants. - Database capacity — Each tenant creates a new database. Ensure your database server has sufficient storage and connection capacity.
Required Fields¶
| Field | Type | Constraints | Description |
|---|---|---|---|
shortCode |
string | 3-20 chars, alphanumeric + hyphens, unique | Short identifier used in database names and URLs |
displayName |
string | 1-100 chars | Human-readable tenant name |
contactEmail |
string | Valid email | Primary contact for the tenant organization |
Optional Fields¶
| Field | Type | Default | Description |
|---|---|---|---|
maxUsers |
integer | Per license tier | Maximum number of users for this tenant |
maxResources |
integer | Per license tier | Maximum number of managed resources |
modules |
string[] | [] |
Modules to enable by default (e.g., ["ad", "ssh"]) |
adminEmail |
string | Same as contactEmail |
Email for the initial tenant admin account |
adminDisplayName |
string | "Tenant Admin" |
Display name for the initial tenant admin |
Provisioning via the Web Portal¶
- Log in to the RP-PAM portal as an MSP Admin.
- Navigate to MSP > Tenants in the left sidebar.
- Click Provision New Tenant.
- Fill in the required fields:
- Short Code — e.g.,
acme-corp - Display Name — e.g.,
Acme Corporation - Contact Email — e.g.,
it@acmecorp.com - Optionally configure limits and default modules.
- Click Provision.
- The portal displays a progress indicator while provisioning completes (typically 30-60 seconds).
- Once complete, you will see the tenant summary, including the initial admin credentials.
Important: Copy the initial admin credentials immediately. The password is shown only once.
Provisioning via REST API¶
PowerShell¶
$body = @{
shortCode = "acme-corp"
displayName = "Acme Corporation"
contactEmail = "it@acmecorp.com"
maxUsers = 500
maxResources = 200
modules = @("ad", "ssh")
adminEmail = "admin@acmecorp.com"
adminDisplayName = "Acme Admin"
} | ConvertTo-Json
$response = Invoke-RestMethod `
-Uri "https://rppam.corp.local:7101/api/v1/msp/tenants" `
-Method POST `
-Headers @{ Authorization = "Bearer $mspAdminJwt" } `
-ContentType "application/json" `
-Body $body
# Display the result
$response | ConvertTo-Json -Depth 3
Example response:
{
"tenantId": "f47ac10b-58cc-4372-a567-0e02b2c3d479",
"shortCode": "acme-corp",
"displayName": "Acme Corporation",
"status": "active",
"databaseName": "rppam_tenant_acme_corp",
"createdUtc": "2026-04-07T14:30:00Z",
"initialAdmin": {
"username": "admin@acmecorp.com",
"temporaryPassword": "xK9#mP2$vL7nQ4wR"
}
}
curl¶
curl -s -X POST "https://rppam.corp.local:7101/api/v1/msp/tenants" \
-H "Authorization: Bearer $MSP_ADMIN_JWT" \
-H "Content-Type: application/json" \
-d '{
"shortCode": "acme-corp",
"displayName": "Acme Corporation",
"contactEmail": "it@acmecorp.com",
"maxUsers": 500,
"maxResources": 200,
"modules": ["ad", "ssh"],
"adminEmail": "admin@acmecorp.com",
"adminDisplayName": "Acme Admin"
}' | jq .
Important: The
initialAdmin.temporaryPasswordis returned only once in the provisioning response. Store it securely and provide it to the tenant admin through a secure channel.
What Happens During Provisioning¶
The provisioning process executes the following steps automatically:
| Step | What Happens | Duration |
|---|---|---|
| 1. Validation | Short code uniqueness check, license capacity check | < 1 second |
| 2. Database creation | New database created on the configured database server | 5-10 seconds |
| 3. Schema migration | All RP-PAM tables created in the new database | 10-20 seconds |
| 4. KEK generation | A new Key Encryption Key is generated and stored (encrypted by MEK) | < 1 second |
| 5. CEK generation | Content Encryption Keys created for vault, credentials, and audit | < 1 second |
| 6. Admin account | Initial tenant admin user created with temporary password | < 1 second |
| 7. Default config | Default modules and settings applied | < 1 second |
| 8. Billing event | tenant.provisioned event recorded for billing |
< 1 second |
Total provisioning time is typically 30-60 seconds.
Verifying Provisioning¶
After provisioning, verify the tenant is active and healthy.
List All Tenants¶
PowerShell:
Invoke-RestMethod -Uri "https://rppam.corp.local:7101/api/v1/msp/tenants" `
-Headers @{ Authorization = "Bearer $mspAdminJwt" }
curl:
curl -s "https://rppam.corp.local:7101/api/v1/msp/tenants" \
-H "Authorization: Bearer $MSP_ADMIN_JWT" | jq .
Check Tenant Health¶
PowerShell:
$tenantId = "f47ac10b-58cc-4372-a567-0e02b2c3d479"
Invoke-RestMethod -Uri "https://rppam.corp.local:7101/api/v1/msp/tenants/$tenantId/health" `
-Headers @{ Authorization = "Bearer $mspAdminJwt" }
curl:
TENANT_ID="f47ac10b-58cc-4372-a567-0e02b2c3d479"
curl -s "https://rppam.corp.local:7101/api/v1/msp/tenants/$TENANT_ID/health" \
-H "Authorization: Bearer $MSP_ADMIN_JWT" | jq .
Expected response:
{
"tenantId": "f47ac10b-58cc-4372-a567-0e02b2c3d479",
"status": "healthy",
"database": "connected",
"encryption": "operational",
"lastCheckedUtc": "2026-04-07T14:31:00Z"
}
Test Tenant Admin Login¶
Have the tenant admin log in with the temporary credentials. They will be prompted to change their password on first login.
Troubleshooting¶
| Problem | Cause | Solution |
|---|---|---|
| "Short code already exists" | Duplicate short code | Choose a unique short code |
| "License capacity exceeded" | MSP license tenant limit reached | Contact Ravenphyre to upgrade your license |
| Provisioning hangs at database creation | Database server unreachable or out of space | Check database server connectivity and disk space |
| "Insufficient permissions" | API caller does not have msp-admin role |
Verify the JWT belongs to an MSP admin user |
| Initial admin cannot log in | Password not copied correctly | Deprovision and re-provision, or use the MSP admin API to reset the tenant admin password |
Next Steps¶
- Tenant Management — Suspend, reinstate, and deprovision tenants
- MSP Overview — Understand the multi-tenancy architecture
- License Activation (Online) — Manage your MSP license
RP-PAM v1.0.0 — Copyright 2026 Ravenphyre. All rights reserved.