The multitenancy feature of the Airlock Gateway REST interface provides isolating protection between tenant-users who share the same Gateway system resources and processes.
However, negative side-effects of configuration changes by tenant-users could severely affect system resources and thus the service availability of other tenant-users. For strict isolation, tenant-users must be distributed to dedicated Airlock Gateway instances.
Tenant-users have a limited access to REST resources, see Limited access to REST resources. In addition, we recommend restricting the permitted paths to API endpoints for each tenant-user according to the principle of least privilege.
Example:
If a tenant needs to be able to change the maintenance mode of a back-end only, any other API endpoints e.g. for general mapping changes should not be permitted.
If the REST API is exposed over untrusted networks (e.g. the public Internet), we recommend protecting the interface with Airlock Gateway API security functionality.
Tenant-user settings are not automatically shared within clustered Airlock Gateway instances/deployments. Make sure to distribute the tenancy settings to all Gateway entities within the same cluster.