Skip to main content

Tenant Administration

Tenant admins make AI Cloud usable for a team. The job is to keep projects, members, access, service accounts, spend, and recovery paths in a reviewable state.

Admin First-Run Checklist

StepOutcome
Confirm tenantWorkspace name and default project are visible.
Review projectsProject names, owners, and lifecycle state are understandable.
Review membersUsers have only the roles they need.
Review service accountsAutomation identities are scoped, rotatable, and auditable.
Review spend and quotaBalance, entitlement, and quota posture are clear before launch.
Review securityMFA, SSH keys, API keys, and sessions have an owner and support path.

Project Lifecycle

Projects are the normal boundary for work, access, and usage attribution.

Recommended project practices:

  • Use names that explain the team or workload purpose.
  • Keep a clear project owner.
  • Review membership before launching sensitive work.
  • Archive or remove projects that no longer have an owner.
  • Keep billing or cost-center attribution current when it is enabled.

Members And Roles

Use least privilege. Add users to the projects they need and avoid broad roles for temporary work.

Role postureRecommended use
Viewer or readerInspection and handoff without mutation.
MemberNormal workload launch and operation.
Project adminProject-level membership and runtime coordination.
Tenant adminTenant-wide access, support, and governance.

Service Accounts

Create service accounts for automation, not for interactive user shortcuts.

For each service account, keep:

  • owner;
  • purpose;
  • project scope;
  • credential rotation plan;
  • last-used review;
  • cleanup owner.

Security And Recovery

Tenant admins should know the recovery path for:

  • lost MFA device;
  • stale or compromised session;
  • SSH/API key rotation;
  • service-account credential rotation;
  • user offboarding;
  • workload ownership transfer.

Use Account Security as the user-facing account-protection baseline.

Handoff To Users

Before giving users a tenant for UAT or production work, confirm:

  • sign-in works for the intended users;
  • at least one project is ready;
  • runtime catalog entries are visible;
  • quotas and balance are enough for the walkthrough;
  • account security path is clear;
  • support contact and escalation evidence are known.

Use Billing And Storage to prepare quota, balance, storage, and cleanup guidance before handoff.

Operator Boundary

Tenant admins should not need provider credentials, direct database access, or operator runbooks for normal user administration. Provider setup, node enrollment, deployment, runtime repair, and emergency cleanup belong to the platform operator path.