Tenant Administration
Tenant admins make AI Cloud usable for a team. The job is to keep projects, members, access, service accounts, spend, and recovery paths in a reviewable state.
Admin First-Run Checklist
| Step | Outcome |
|---|---|
| Confirm tenant | Workspace name and default project are visible. |
| Review projects | Project names, owners, and lifecycle state are understandable. |
| Review members | Users have only the roles they need. |
| Review service accounts | Automation identities are scoped, rotatable, and auditable. |
| Review spend and quota | Balance, entitlement, and quota posture are clear before launch. |
| Review security | MFA, SSH keys, API keys, and sessions have an owner and support path. |
Project Lifecycle
Projects are the normal boundary for work, access, and usage attribution.
Recommended project practices:
- Use names that explain the team or workload purpose.
- Keep a clear project owner.
- Review membership before launching sensitive work.
- Archive or remove projects that no longer have an owner.
- Keep billing or cost-center attribution current when it is enabled.
Members And Roles
Use least privilege. Add users to the projects they need and avoid broad roles for temporary work.
| Role posture | Recommended use |
|---|---|
| Viewer or reader | Inspection and handoff without mutation. |
| Member | Normal workload launch and operation. |
| Project admin | Project-level membership and runtime coordination. |
| Tenant admin | Tenant-wide access, support, and governance. |
Service Accounts
Create service accounts for automation, not for interactive user shortcuts.
For each service account, keep:
- owner;
- purpose;
- project scope;
- credential rotation plan;
- last-used review;
- cleanup owner.
Security And Recovery
Tenant admins should know the recovery path for:
- lost MFA device;
- stale or compromised session;
- SSH/API key rotation;
- service-account credential rotation;
- user offboarding;
- workload ownership transfer.
Use Account Security as the user-facing account-protection baseline.
Handoff To Users
Before giving users a tenant for UAT or production work, confirm:
- sign-in works for the intended users;
- at least one project is ready;
- runtime catalog entries are visible;
- quotas and balance are enough for the walkthrough;
- account security path is clear;
- support contact and escalation evidence are known.
Use Billing And Storage to prepare quota, balance, storage, and cleanup guidance before handoff.
Operator Boundary
Tenant admins should not need provider credentials, direct database access, or operator runbooks for normal user administration. Provider setup, node enrollment, deployment, runtime repair, and emergency cleanup belong to the platform operator path.