Multitenancy support for apps

QRadar® V7.4.0 and later includes support for multi-tenanted apps. A number of out of the box apps, such as Pulse, Assistant, and Log source manager, can now be used in a multitenant environment.

App developers are able to mark that their app is tested and works in a multi-tenanted environment. You can support multitenancy in your app in two ways:
  1. The app is tested and works with multitenancy, but it is not multitenancy aware. When a user installs the app, they are presented with the option to create a default instance. Users can select this option if they only want a single instance of the app, or the app does not need to support multitenancy. If a user does not select the Default Instance option, they must create a separate instance for each customer and associate each instance with a security profile to keep all client data separate.
  2. The app is tested and is multitenancy aware. In this case, only one instance of the app is necessary. This type of app is also beneficial if the app is used only by administrators.
Use the following new manifest flags indicate support for multitenancy in an app. By default, these flags are set to false.
Manifest key Description
multitenancy_safe If set to true, this key indicates that your application can work in a multitenant environment. If not set to true, it indicates that only one instance of your app can be created, and any user who is a member of a tenant is not able to see it.
single_instance_only

If this key is set to true, only one instance of this app can be created. Typically, this indicates that this application can either provide multitenancy support itself, or that use of this application is meant only for administrators.

If the multitenacy_safe key is not also set to true, then users who are a member of a tenant cannot see this app. If multitenacy_safe is also set to true, then all users can see the app.

If the multitenancy_safe key is not set to true, then QRadar assumes that it cannot trust the app to run in a multitenant environment. This key indicates that only one instance of the app runs, and that a limited set of users can access it. This setting ensures that users who are in a tenant can't access other tenants' data.

The single_instance_only defines how your app can operate in a multitenant environment.

If the key is not set to true, users can create multiple instances of the app. Set this key to true if the app stores data locally, or if the app uses an API or other means of accessing QRadar that allows access to more than one tenant's data, and the app cannot segregate the data itself. In this case, QRadar allows administrators to create a new instance of this application that is tied to a specific security.
Example: A customer who installs your app has a small number of users that use two different security profiles: Electricity Company and Water Works. When an administrator creates a new instance of your app, they must assign this instance to a security profile, such as Electricity Company. Then, only users with the Electricity Company security profile are able to access this instance of your app.

Associating instances with security profiles instead of tenants gives users more control over which users can access tenant data. A tenant is expected to have one or more security profiles associated with it to define what data different users can see.

Tip: If your app uses an API key to autonomously access QRadar APIs, set up your application to request authentication through its manifest. You can then define the exact access capabilities that are required, and that key is delivered to your app securely as needed. For more information on app authentication, see OAuth app authorization with QRadar.

For more information about managing multitenant apps with the QRadar Assistant app, see Managing multitenanted apps.