Tenant Management Console

To use the Tenant Management Console, you need either:

• A user account defined in HCP (either locally authenticated or RADIUS authenticated).
• If the tenant is configured to support Windows Active Directory (AD) authentication, an AD user account for a user that belongs to one or more AD groups for which corresponding group accounts are defined in HCP. In this book, such an Active Directory user account is referred to as a recognized AD user account.

The HCP user account or group accounts specify what you have permission to do in the Console. The menu options, pages, and panels you see in the Console depend on your permissions.

If an AD user belongs to multiple AD groups for which HCP group accounts exist, that user has all the permissions associated with all those group accounts.

A Tenant Management Console session begins when you take one of these actions:

• Log into the Console using an HCP user account or recognized AD user account.
• Access a Console page while logged in to Windows with a recognized AD user account. This is called single sign-on. With single sign-on, you don’t need to explicitly log into the Console.

  For single sign-on to work, your web browser must be configured to support it.

A session ends when you log out. During a session, you can perform any actions for which you have permission.

During a session, if you don’t take any action for a certain amount of time, the Console displays the Idle Timeout page. If you explicitly logged in to the session, the Console automatically logs you out and, when you click any tab on the Idle Timeout page, displays the login page. If you started the session by using single sign-on, when you click any tab, the Console displays the requested page. The exact amount of idle time allowed is configurable.

If you’ve granted HCP system-level users administrative access to the tenant, they can access the Tenant Management Console directly from the HCP System Management Console. Doing so does not start a Tenant Management Console session. Rather, it continues the current System Management Console session, and the configured idle time for that Console applies.

HCP includes a RESTful HTTP interface to a subset of its administrative functions. Using this interface, called the management API, you can modify your tenant and create, modify, and delete namespaces, user and group accounts, and content classes for the tenant. Additionally, you can create, modify, and delete retention classes for the tenant's namespaces.

You use the Tenant Management Console to enable the management API at the tenant level. For the API to be available, however, it must also be enabled at the system level.

To use the management API, you need a user account that includes the applicable permissions for the actions you want to take.

If the tenant is configured to support Active Directory authentication, applications can also use recognized AD user accounts to access HCP through the management API. To do this, however, an application must use the SPNEGO protocol or the AD authentication header to negotiate the AD user authentication itself. For more information about SPNEGO, see http://tools.ietf.org/html/rfc4559. To provide credentials using the Active Directory authorization header, you use this format:

Authorization: ADAD-username:AD-password

The URL for the Tenant Management Console has this format:

https://tenant-url-name.hcp-domain-name:8000

ypically, the HCP system uses DNS for system addressing. If this is not the case, you need to provide a mapping of the tenant hostname to an IP address for the HCP system.

You specify hostname mappings in the hosts file on the client. The location of this file depends on the client operating system:

• On Windows, by default: c:\windows\system32\drivers\etc\hosts
• On Unix: /etc/hosts
• On Mac OS® X: /private/etc/host

Each entry in a hosts file maps one or more fully qualified hostnames to a single IP address. For example, if one of the IP addresses for the HCP system is 192.168.210.16, you would add this line to the hosts file on the client to enable access to the Tenant Management Console for the Finance tenant:

192.168.210.16 finance.hcp-ma.example.com

The following considerations apply to hosts file entries:

• Each entry must appear on a separate line.
• Multiple hostnames in a single line must be separated by white space. With some versions of Windows, these must be single spaces.
• Each hostname can map to multiple IP addresses.

You can include comments in a hosts file either on separate lines or following a mapping on the same line. Each comment must start with a number sign (#). Blank lines are ignored.

For the IP addresses for the HCP system, contact your HCP system administrator.

An HCP system has multiple IP addresses. You can map the tenant hostname to more than one of these IP addresses in the hosts file. The way multiple mappings are used depends on the client platform. For information about how your client handles multiple mappings in a hosts file, see your client documentation.

If any of the IP addresses listed in the hosts file are unavailable, timeouts may occur when you use a hosts file to access the Tenant Management Console.