Tenant Onboarding Model
Summary
The Tenant onboarding model provides reusable structures for provisioning new Tenants. Department templates define standard department configurations with role mappings, attributes, and external identifiers. Template groups collect multiple department templates into a clonable unit. Property templates define typed metadata schemas for Tenant configuration. Together, these mechanisms reduce provisioning effort and ensure consistency across Tenants.
Why It Exists
Provisioning Tenants manually — creating departments, assigning roles, setting attributes — is repetitive and error-prone when the same organizational pattern applies to many Tenants. Templates capture proven organizational structures and metadata schemas, allowing administrators to provision new Tenants from a known-good baseline in a single operation.
Where It Fits in Keymate
Tenant onboarding builds on the Tenant Model and Organization Hierarchy. Templates define what gets created; the cloning operation instantiates those templates into a real Tenant's department structure. Property templates complement Tenant-level properties by providing the schema definition.
Boundaries
What this concept covers:
- Department templates and their contents (roles, attributes, external identifiers)
- Template groups as collections of department templates
- Property templates for typed Tenant metadata
- Template cloning as a provisioning mechanism
What this concept does not cover:
- User assignment during onboarding — see Membership & Application Assignment
- Identity provider configuration during onboarding — see Tenant Identity & Federation
- Application assignment during onboarding — see Membership & Application Assignment
How It Works
Department Templates
A department template captures a reusable department definition, including:
- Department name and structure — the department's position in a hierarchy (root or child)
- Role mappings — realm-level and client-level roles assigned to the department
- Attributes — key-value metadata for the department
- External identifiers — mappings to external systems
Templates are not live departments — they serve as blueprints. A template has no users, no active sessions, and no authorization decisions until it is cloned into a Tenant.
Template Groups
A template group bundles multiple department templates into a single clonable unit. Template groups are useful when a standard organizational structure involves several departments with interdependent configurations. Cloning a template group creates all included departments within the target Tenant, preserving the hierarchy defined in the templates.
Property Templates
Property templates define typed metadata fields for Tenant configuration. Each property template specifies:
| Field | Description |
|---|---|
| Name | The property identifier |
| Type | String, numeric, date, or boolean |
Once defined, property templates provide a consistent schema across all Tenants. Each Tenant populates the template with its own values.
Template Cloning
The cloning operation takes a template group and a target Tenant, then instantiates all department templates from the group into the Tenant's organizational structure. The cloned departments inherit the role mappings, attributes, and external identifiers defined in the templates. After cloning, the resulting departments are independent — changes to the template do not affect previously cloned departments.
Diagram
Example Scenario
Scenario
A platform administrator creates a template group for a standard enterprise structure and uses it to provision a new Tenant.
Input
- Actor: Platform administrator
- Resource: Template group with three department templates (Engineering, Finance, Operations)
- Action: Clone the template group into a new Tenant
- Context: New Tenant Acme Corp requires the standard enterprise department structure with predefined role mappings
Expected Outcome
- Result: Acme Corp Tenant receives three departments — Engineering, Finance, and Operations — each with the role mappings, attributes, and external identifiers defined in the templates
- Why: Template cloning provisions the entire organizational structure in a single operation, ensuring consistency with other Tenants that used the same template group.
Common Misunderstandings
- "Cloned departments stay linked to their templates." — No. After cloning, departments are independent. Changes to the template do not propagate to previously cloned departments.
- "Templates replace manual department management." — Templates accelerate initial provisioning. Tenant administrators can modify, add, or remove departments after cloning.
- "Property templates enforce values." — Property templates define the schema (name and type). They do not enforce specific values — each Tenant populates properties with its own data.
Template cloning is a one-time operation. After departments are created from a template, they are managed independently. If you update a template, previously cloned departments are not affected.
Design Notes / Best Practices
- Create template groups for each common organizational pattern (e.g., standard enterprise, small business, government agency) to streamline Tenant provisioning.
- Define property templates at the platform level before provisioning Tenants to ensure all Tenants share a consistent metadata schema.
- Use external identifiers in department templates to pre-map departments to entries in external HR or directory systems.
Combine template groups with application assignment to create a complete onboarding workflow: clone departments from a template group, assign applications to the Tenant, and populate property values — all as part of a single provisioning process.
Related Use Cases
- Creating a standard enterprise template group and cloning it for each new Tenant
- Defining property templates for regulatory metadata that all Tenants must populate
- Pre-mapping department templates to external HR system entries via external identifiers