Multi-Tenancy based on Pantaris Workspaces

Dear Pantaris Creator Team,
our project is in the process of realizing Multi-Tenancy in our Third-Party App based on the Pantaris Workspace- and Organization Management Feature.
The idea is the following:

  • Workspaces are equal to Tenants and they are managed in the Pantaris UI
  • Data is isolated in our App is thus based on Workspaces
  • The User performns login in the context of a Workspace by setting the workspaceId (e.g. Input Field oder Query Parameter in Url) before starting the Login Flow
  • If a User belongs to multiple Workspaces, our App needs to be able to find out to which Workspaces the user has access. Then a workspace selection is offered in our frontend.
  • Everytime a new Workspace is created and our Third-Party App is activated, we need to consume the corresponding event
    to create everything necessary for this new Workspace in our Application.
  • Unfortunately just consuming the app-activated events is not sufficient, because it’s not guaranteed that we will receive all events and therefore
    our System may not know all Workspaces.Thus we need to be able to request all Workspaces in which our App was activated.

The Tenant Onboarding Flow would look like this:

Create Workspace in Pantaris UI → Activate our Application in Workspace → Consume app-activated Event in our App → Create relevant resources in our App
→ Send message to Pantaris that everything necessary has been done on our side (question follows below)

We are currently implementing and testing with Pantaris-Latest, because we rely on the IAM Integration and Service Provisioning Feature meant for Third-Party Apps.

Unfortunately I was not able to answer all our questions with the API and Service Documentation.

Therefore we’d be happy to receive your support for the following questions:

  • How is it possible to find out to which Workspaces a user belongs to? I tried it with GET /projects, which is deprecated, but it only works with an API Token, not with an oAuth2.0. Furthermore the result is somehow empty. Is it possible to use /projects/_/users/search? Which permissions do I need to access this endpoint and how should the query look like? Like this?: “query”: {“”: {“_eq”: “”}}

  • How is it possible to request the Workspaces, in which our app was activated? I got the hint to use /application-provision-runs/search, but it only returns the provision-run Ids
    not the Workspace Ids (query is: “query”: {“”: {“_eq”: “”}}. I also tried to use /project-applications/search, but the result is always empty (data=[])

  • If an App-activated event was consumed and all relevant resources in our App were created, is it intended to send a message back to Pantaris to set the Provisioning Status to “finished” or is it done automatically?

Thank you very much for your help in advance.

Furthermore: How is it possible to get the metadata of a project? We want to display the project name in our frontend. I tried to use GET{ids}, but unfortunately I am receiving a 403 Permission denied error. How can I generate aan API token with the right permission?

It’s possible to get this information with an oAuth2 token if the human is owner of this Owner of this project. Unfortunately no all of our users will get this role, therefore we need an option to call this endpoint without using Access Token of the end user. Having a technical user per project is also no option as we would need to manage secrets per project.

In the meanwhile I figured out that the endpoints /projects and /projects/{id} also work with an oAuth2.0 token. But they only return data in the context of the project which is included in the JWT. Furthermore GET /projects only returns the project-id of the current project, even tough the user belongs to multiple projects. So the question is still open: How is it possible to get the projects a user belongs to? With /projects/{id} it’s possible to get the metadata of a project. But I guess you have to be owner to access this endpoint? Yes we could create a technical for each projects and assign the Owner role. But this would require us to manage client secrets for each project, which causes to much effort. I think that we need a general Application-level access to call project-related endpoints. Of course we’re only interested in the projects, in which our app was activated.

Sorry for the late reply. I’ll try to find an answer and get back to you asap.


So I asked around. As far as I understand, you’re correct that the scope is restricted to the current project.
That being said, the focus for v0.15 was to get the general support for IAM done.
There are intentions to expand the scope in the future.

I suggest you create ticket so it gets prioritized.

Sorry that I can’t give you a better answer.

Hi Jan,
thanks for your response. To which questions are you exactly referring to? I guess the event-related question is not affected by this, right?

Yes. I ask about the event-related question.

  • If an App-activated event was consumed and all relevant resources in our App were created, is it intended to send a message back to Pantaris to set the Provisioning Status to “finished” or is it done automatically?

Only if you activate external service provisioning does it expect a response/acknowledgement.

Hi Jan, we already activated the external service provisioning in our APp. How do I send an async response via Amqp to Pantaris to inform that our App is ready to be used? The docu is only about subscribing events not about sending a message to an Amqp queue or am I missing something?

Regarding the API-related questions:
tbh we need to have an option to access the “GET project endpoints” for all projects in which our app was activated now. It is not clear in the documentation which permissions are required, therefore I was wondering if it’s possible to create a custom Pantaris API Token for us with the required permissions?

Hi @jan.guth, I’ve created a service request regarding the Application-Level Access with number 33683jJtfuRYmHgNNnamecsBI. Would be great if we could discuss an intermediate solution (like mentioned above with the custom API Token), so that we’re not blocked.

The answer is submitted via HTTP. Find the callbacks in the event-spec such as this one or check the belonging endpoint.

I hope our support team already took care about your ticket, else the ticket system is the right channel to continue it.