Skip to main content
Version: 3.2.0

Tenants

Tenants in Alert Manager Enterprise provide a way to separate events, knowledge objects and configurations through role based access controls (RBAC).

info

Creating additional tenants needs the Multi-Tenancy Feature pack. See Licensing and Support

A tenant consists of a dedicated Splunk index, a dedicated KV Store Collection, and Roles.

Alert Manager Enterprise creates a default tenant at installation time. This tenant will access the index ame_default and the ame_default_events collection. Additionally, three roles are created: ame.admin, ame.default.power, and ame.default.user.

A user with a Splunk Admin or AME admin role can add additional tenants if a valid multi-tenancy license is available.

For each tenant, three optional roles are available. The naming scheme is ame.<tenant>.admin, ame.<tenant>.power, and ame.<tenant>.user. A user needs one of these roles to access a tenant.

A user with an admin, sc_admin, or ame.admin role can access all tenants. The user can edit all objects in the tenant and assign himself an event. As long as the user is not a member of a dedicated tenant group, the username will not be shown in the user dropdowns.

info

See Role Overview for capabilities required to manage tenants.

Managing Tenants

The following image shows the Tenant management UI:

info

Only a Splunk admin or a user with the role ame.admin can see this page and use its features.

Use the following buttons to manage tenants:

ButtonFunction
Add Tenant
Save Tenant
Delete Tenant

Add a new Tenant

note

This feature requires a valid multi-tenancy license

To create a tenant where alerts can create events within:

  1. Click the Add Tenant button at the bottom of the list.
  2. Enter the tenant's name. This name can be chosen freely and be changed later.
  3. Select which roles should be created for this tenant.
  4. Enter a unique identifier for the tenant. This will be used to map data and permission. No whitespaces, dots, colons, semicolons, or brackets are allowed for the tenant_uid (Unique identifier).
danger

Once created, the Unique Identifier can not be changed!

  1. Specify the index name. Note that changing the index later is not easy and requires commercial support. We recommend using the ame_<uid> format for index naming.
  2. The tenant's HTTP event collector or HEC host is the instance that handles the tenant's index. The default value is localhost.
  3. The port to which the ame-index-entry and ame-audit-record information is sent is by default 8088 on a typical Splunk host.
  4. The HEC token is used to authenticate a connection to the HEC host. Be sure to use the same token on the HEC receiver host.
  5. SSL/TLS and Certificate Verification are recommended for higher security.
  6. For certificate verification, the cacert of the certificate with which the HEC host certificate was signed has to be entered.
  7. To complete the process:
  • As an ame.admin press the create button to create the tenant entry. The procedure will only create the tenant entry and the tenant's event collection. AME will not create an index or roles. A Splunk Administrator can deploy the config file templates.
  • As a Splunk admin or with a role with the admin_all_objects capability, press the initialize button to initialize the tenant and create the roles and the tenant's event collection. Deploy the index config template on your indexers.

The red or green status indicators show if AME can establish a connection to the HEC host and if the specified information is valid. More detailed information about the connection can be found in the Health Check Dashboard.

StatusIndicator
Healthy
Unhealthy
info

In an on-premises environment, where default Splunk certificates are used, the $SPLUNK_HOME/etc/auth/cacert.pem CA certificate can be configured for testing purposes. This is not recommended for production use!

Update and delete a tenant

To update a tenant, revise the information and press the save button. To delete a tenant, press the Delete Tenant button next to the Save Tenant button in the upper right corner of the tenant section.

Show Configuration Templates

The Splunk Configuration Template slider can be used to show Splunk Configuration Templates for the tenant.

Sending a Test Event

To test the Tenant Configuration, a Test Event can be sent by pressing Send Test Event.