Access Rules for UserAccounts and Tenants
UserAccounts and Tenants are a particular case where access can’t be strictly
controlled by knowledge of the tenant associated with the current session.
This document summarizes the access rules that apply to UserAccounts and Tenants for the three personas of
the Arda Cloud system: End Users, Tenant Administrators, and System Administrators.
This document limits itself to the scope for MVP2.
Shared Constraints¶
- A UserAccount is only created by a user signing up to Arda Cloud.
- A Tenant is only created by a user signing up to Arda Cloud through HubSpot.
- No persona (End User, Tenant Administrator, System Administrator) can manually create a UserAccount
or a Tenant via Arda Cloud UIs or APIs; creation always happens via the sign-up / onboarding flow described above.
End Users¶
End Users can view all the UserAccounts associated with the current tenant and all the Tenants they are associated with.
End Users can update their UserAccounts.
End Users can leave a Tenant.
End Users cannot create, update, or delete UserAccounts or Tenants.
Tenant Administrators¶
Besides the permissions of the End Users,
Tenant Administrators can leave a tenant unless they are the tenant’s last Tenant Administrator.
Tenant Administrators can change the role associated with any UserAccount in the Tenant they administer, unless this would
leave the Tenant without any Administrator.
Tenant Administrators can suspend/evict other users from a Tenant if they administer it.
Tenant Administrators can invite other users to the current Tenant if they administer it.
Tenant Administrators cannot update System Administrators.
Tenant Administrators can update the Tenants they administer, including changing the associated plan.
System Administrators¶
Besides the permissions of Tenant Administrators,
System Administrators can view all the UserAccounts and all the Tenants.
System Administrators can leave a tenant unless they are the tenant’s last System Administrator.
System Administrators can change the role associated with any UserAccount in any Tenant, unless this would
leave the Tenant without both a Tenant and a System Administrator.