Managing Multi-Tenancy in AGILITY
Overview
AGILITY Multi-Tenancy allows multiple teams to work within a single AGILITY deployment while keeping their data fully isolated. Each tenant acts as a dedicated workspace—typically representing a team, project, or organization—ensuring that users only access the analyses and intent-based evaluations relevant to their current context.
This structure enables secure collaboration across teams without data overlap, while preserving a focused and personalized experience for each user.
Key Benefits
Team-specific visibility: Each team works within its own workspace, with dashboards and insights tailored to its data and activities.
Strict data isolation: Analyses, evaluations, and feedback are fully separated between tenants, ensuring no cross-team data exposure.
Scalable collaboration: Multiple teams can operate independently within the same platform without impacting each other’s workflows.
In this page, you will learn:
Core concepts of Multi-Tenancy
This section introduces the key concepts and terminology used in AGILITY Multi-Tenancy. It provides a glossary of the main terms, along with clear definitions, to help you understand how tenants, users, and data are structured and interact within the platform.
Use this section as a reference to familiarize yourself with the foundational concepts before configuring or using Multi-Tenancy features.
Term | Definition |
|---|---|
Tenant | A logical isolation boundary (e.g., a team, project, or organization) |
Default Tenant | The system's built-in tenant with ID |
Keycloak Group | A group in the Keycloak identity provider. Each tenant in AGILITY has a Keycloak Groups Mapping — a list of accepted Keycloak group names. A user gains access to a tenant only if at least one of their Keycloak groups appears in that tenant's mapping. |
Tenant Switching | The ability for users who have access to multiple tenants to change their active tenant from the UI |
Admin | Admin users can manage tenants and automatically have access to all tenants. |
How Tenant Access Works
A user can access a tenant if any of the following conditions are met:
Keycloak group match
The user belongs to at least one Keycloak group (as defined by the JWT groups claim) that is mapped to the tenant. This is the primary access mechanism.Admin user
Admin users automatically have access to all tenants.
There is no separate membership management. Access to a tenant is determined entirely by matching the user’s Keycloak groups with the group mappings configured for each tenant.
How Tenant Context Flows Through the System
When Multi-Tenancy is enabled, the following flow applies:
User authentication
The user logs in via Keycloak. The JWT token includes a groups claim (e.g.,["group-a", "agility-admin"]).Group propagation
AGILITY proxy extracts the group's claim and forwards it to the backend through theX-GroupsHTTP header.Tenant selection
The UI stores the selected tenant ID in a cookie (tenant_id) and in the user’s backend settings.Request handling
For each API request, the UI sends bothX-Tenant-Id(from the cookie) andX-Groups(from the JWT) to the backend.Access validation
The backend validates whether the user has access to the requested tenant based on their groups.If access is denied → 403 Forbidden
If
X-Tenant-Idis missing → 400 Bad Request
Data scoping
Once validated, thetenant_idis used to filter all data queries. Data from the default tenant (tenant-default) is always included alongside the active tenant’s data.
Keycloak Setup: Groups & User Assignment
Before enabling Multi-Tenancy, ensure the following requirements are met:
Keycloak configuration: A Keycloak instance is set up with an AGILITY realm already configured.
Refer to this link to review the AGILITY Keycloak realm configuration.
Admin access
You have administrative access to the Keycloak Administration Console.Groups claim extraction
OAuth2-Proxy is configured to extract the groups claim from JWT tokens. This is included by default in standard AGILITY deployments:oauth2_proxy.cfg→oidc_groups_claim = "groups"Header forwarding
The NGINX reverse proxy is configured to forward theX-Groupsheader to the backend on every authenticated request.
Creating Tenant Groups in Keycloak
For each AGILITY tenant, you must create a corresponding Keycloak group. This group will later be mapped to the tenant in AGILITY (see Section: Create a New Tenant -> Keycloak Groups Mapping).
You can use any naming convention, but a common and recommended pattern is:
tenant-{name}(e.g.,tenant-a,tenant-b).
Steps
Log in to the Keycloak Administration Console.
Select the AGILITY realm from the top-left dropdown.
Navigate to Manage → Groups.
Click Create group.
Enter the group name (e.g.,
tenant-a) and click Create.Repeat these steps for each tenant you plan to create in AGILITY.
Admin Access
If certain users need both admin privileges and tenant access:
Assign them to the
agility-admingroupAnd to the relevant
tenant-*group(s)
Admin users automatically have access to all tenants. However, the agility-admin group is still required to grant administrative permissions (e.g., managing settings and configurations).
Assigning Users to Tenant Groups
User-to-tenant mapping can only be completed after a user’s first login. This applies to both standard authentication and SSO. In SSO scenarios, users are not pre-created in the system; they are automatically registered on their first sign-in attempt.
If multi-tenancy is enabled, and the user has not yet been assigned to a tenant, they will be unable to access the system. They will see a prompt indicating that no tenant is available, with instructions to contact an administrator for assignment.
Once the groups are created, you can assign users to the appropriate tenant groups:
Steps
In the Keycloak Administration Console, navigate to Manage → Users.
Search for and select the user you want to assign.
Open the Groups tab.
Click Join Group.
Select the desired tenant group (e.g.,
tenant-a) and click Join.
The user is now a member of that group. On their next login, their JWT token will include the assigned group(s) in the groups claim.
Repeat these steps for all users and tenant groups as needed.
Multi-Tenant Access
A user can belong to multiple tenant groups (e.g., tenant-b and tenant-c). When logging in to AGILITY, they will be prompted to select which tenant they want to work in.
Verifying the Group's Claim in the JWT
After assigning users to groups, verify that the JWT token includes the groups claim:
Steps
Log in to AGILITY as the user.
Inspect the JWT access token (e.g., using browser developer tools → Application → Cookies, or via a tool like http://jwt.io ).
Check that the token payload includes the expected groups, for example:
{
"groups": ["tenant-a", "tenant-b"]
}If the group's claim is missing
Ensure the user is correctly assigned to the required Keycloak groups
Verify that the client scope includes a group's claim mapper
In the standard AGILITY Keycloak configuration, this is already set (oidc_groups_claim = "groups").
Enabling Multi-Tenancy in AGILITY
This action is only available to admin users.
Multi-Tenancy is controlled by a feature flag (MULTI_TENANCY_ENABLED). It must be enabled before any tenant-related features become available.
Steps
Navigate to Settings → Application page.
Click on the Edit button to open the Feature Enablement section.
Locate Multi-Tenancy Feature Enabled (
MULTI_TENANCY_ENABLED).Click the Edit (pencil) icon to unlock the field.
Set the value to True.
Click Save to apply or click Cancel to discard the changes.
Once enabled, Multi-Tenancy features will become available across the platform.
What Happens After Enabling Multi-Tenancy
Once Multi-Tenancy is enabled:
Tenant context is required
The backend requires theX-Tenant-Idheader on all tenant-scoped API requests.If missing → 400 Bad Request
Tenant access is resolved per user
The/v1/tenants/availableendpoint returns the list of tenants the user can access, based on their Keycloak groups.Admin management becomes available
A Tenant Management card is added to the Application Settings page (visible to admin users only).UI updates reflect tenant context
A tenant badge appears in the header bar
A tenant selector dropdown is available in Webhook and Autoloader pipeline creation forms
Tenant selection on login
Users without an active tenant are redirected to a tenant selection page after logging in.
When Multi-Tenancy is Disabled
The backend defaults to a single tenant (
tenant-default) for all requestsNo tenant-related UI elements are displayed
Even if your account is assigned to a valid group, Multi-Tenancy must be enabled in Settings for access to take effect. If it is not enabled, contact your admin to access the AGILITY features available for your group.
Tenant Management (Admin)
Only admin users can create, edit, and delete tenants.
Accessing Tenant Management
Navigate to Settings → Application.
Click the "Tenant Management" card (only visible when multi-tenancy is enabled).
You will see a table listing all existing tenants with columns: ID, Name, Description, and Keycloak Groups.
Creating a New Tenant
On the Tenant Management page, click the + New Tenant button.
Fill in the form:
Field | Description | Prerequisites |
|---|---|---|
Tenant ID (*) | A unique identifier using lowercase letters, numbers, and hyphens (e.g., |
|
Tenant Name (*) | A unique display name for the tenant (e.g., | N/A |
Description (optional) | A short description of the tenant’s purpose. (e.g., | N/A |
Keycloak Groups Mapping (*) | A list of Keycloak group names whose members should have access to this tenant (e.g., |
|
All fields marked with (*) are required and must be completed before saving.
Click "Save & Close” to create a tenant; the list will be automatically updated.
The Keycloak Groups Mapping values must exactly match the group name(s) you created in Keycloak (refer to Creating Tenant Groups on Keycloak). A user gains access to this tenant only if at least one of their Keycloak groups appears in this list.
Editing a Tenant
On the Tenant Management page, click the Edit button next to the tenant.
Update the Tenant Name, Description, or Keycloak Groups Mapping as needed.
The Tenant ID is read-only and cannot be modified after creation.
Click Save & Close to apply the changes.
Deleting a Tenant
On the Tenant Management page, click the Delete button next to the tenant.
A confirmation message will appear:
“Tenant will be deleted, but internal data will remain in the system.”Click Delete to confirm, or Cancel to abort.
The tenant list will be updated accordingly.
Deleting a tenant removes only the tenant record. Associated data (such as analyses and evaluations) remains in the system. Users who had access only through this tenant will be redirected to the tenant selection page on their next login.
The default tenant (tenant-default) cannot be deleted.
Tenant Selection & Switching (All Users)
Tenant Selection on Login
When Multi-Tenancy is enabled, and a user does not have an active tenant selected (no tenant_id cookie or default_tenant in settings), they are automatically redirected to the tenant selection page.
What you see
A modal that allows you to select a tenant based on your available group access
A dropdown displaying all tenants you have access to (based on your Keycloak groups), including each tenant’s name and, when available, a short description
What to do
Select a tenant from the dropdown
You will be automatically redirected to the AGILITY home page with the selected tenant active
Special cases
Single-tenant users
If you have access to only one tenant, it is automatically selected—no selection page is shown.Users with no tenant access
If your Keycloak groups do not match any tenant mapping:Admins see a message with a link to the Settings page to configure tenants
Non-admin users see: “Please contact your administrator to request access.”
Admin users
Admins bypass group checks and can access the Settings page even without a selected tenant, allowing them to create and configure tenants.
Switching Your Active Tenant
Steps
Click your profile icon (top-right corner of the header).
In the dropdown menu, click Tenancy option.
A list of your available tenants will be displayed:
Your current tenant is marked with a green checkmark
Each tenant shows its name and, if available, a description
Click on a different tenant to switch.
What happens next
The page reloads with the newly selected tenant context
A “Switching Tenant…” indicator appears briefly during the transition
The selected tenant is saved to your user settings, and a
tenant_idcookie is updated
Tenant Badge in the Header
When multi-tenancy is active, and you have a selected tenant:
A tenant badge (pill-shaped label) appears in the top navigation bar, showing the current tenant name.
Hovering over it shows a tooltip with the Tenant ID.
The badge is visible only when two or more tenants are available to you.
Tenant-Scoped Features
Once a tenant is selected, all tenant-aware features automatically filter data based on the active tenant. Data from the default tenant (tenant-default) is always included alongside the active tenant’s data.
Analyses
Creating an analysis (file upload)
The analysis is automatically assigned to your active tenant.Listing analyses
You will see analyses for your active tenant, along with those from the default tenant.Analysis details and summaries
All views are scoped to the active tenant, including CubeJS-powered analytics data.
IBD Evaluations
Creating an evaluation
The evaluation and its underlying analysis are assigned to your active tenant.Listing evaluations
The active tenant filters include default tenant data.
Webhooks
When creating or editing a webhook subscription, admins can assign it to a tenant:
Navigate to Settings → Application → Webhook Configuration
Click the + New Endpoint button at the top-right.
If Multi-Tenancy is enabled, a Tenant dropdown will appear
Select a tenant, and the created webhook will only receive events from this tenant
Complete the remaining fields (URL, events, notification type, etc.) and click on Cancel to discard changes, Save & New keeps your updates on the current page and opens a form to create another item, and Save & Close saves your changes and returns to the previous view.
The tenant assignment can also be updated when editing an existing webhook.
Autoloader Pipelines
When creating or editing an autoloader pipeline, admins can assign it to a tenant:
Navigate to Settings → Application → Autoloader Configuration
Click the + New Pipeline button or edit an existing one