harbar.net component based software & platform hygiene

Rational Guide to Multi Tenancy with SharePoint 2010, Part Three: Example Scenario and what Multi Tenancy brings to the party

Print | posted on Monday, June 14, 2010 2:43 AM



This, the third part of the Rational Guide article on multi tenancy walks through the example scenario which future articles use to show how to build out the multi tenant capabilities of SharePoint Server 2010. I will also highlight the key features in action, providing an overview of what multi tenancy brings to a SharePoint 2010 deployment.

If you haven’t checked out the previous parts, I strongly encourage you to review them. I won’t repeat information and I assume you have read the previous parts, which are:

  1. Feature and Capability Overview
  2. Planning your Deployment
  3. Example Scenario and what Multi Tenancy brings to the party (this article)
  4. Configuring the base Infrastructure
  5. Configuring Partitioned Service Applications
  6. Provisioning Tenants
  7. Testing the Functionality

Example Scenario

In order to provide end to end coverage of all the key aspects of multi tenancy with SharePoint 2010, I’ve constructed an example scenario. This is pretty simple, I’ve designed it to only focus on the multi tenancy features and to avoid extraneous details. Whilst I have attempted to make this scenario as appropriate for real world deployments as possible, please remember that it is a contrived example for the purposes of explaining the capabilities. So if you want to replicate it, do so at your own risk!

All you need to run through the article series is a SharePoint Farm consisting of a single server. My rig for producing this is a single SharePoint Server, a SQL Server, and a Domain Controller. You could do it all on one box, but I prefer to separate them. Of course in the real world we’d have more than one SharePoint box, but this isn’t an article on Farm Topology.

I have a single farm, which I’ve named “Hosting Farm”. Within the farm I am running some base services, and all of the Service Applications that can be partitioned. These services are:

  • Managed Metadata
  • Business Data Connectivity
  • Secure Store
  • Search
  • User Profiles
  • Word Automation

I have a single Proxy Group containing these services and a single Web Application, which will contain all of my tenant (customer) site collections. I have chosen to use Host Named Site Collections for my customers. See part two for the reasoning behind this choice. I have three customers hosted, each of which use a different set of features, they are:

  • Microsoft (Enterprise Features)
    Microsoft are the big daddy, we all know that. Their users are also more savvy and into cool things like KPIs so on. They are also the customer that has wads of cash to pay for the enterprise features.
  • Oracle (Standard Features)
    Oracle are a little bit into SharePoint (you know it!). They need ECM, WCM mainly to figure out what to do with all their acquisitions (hint: bin them!). But despite being all OLAP, they ain’t ready for real business intelligence.
  • Apple (Foundation Features)
    Apple make toys. Nice looking toys mind. Apple don’t really do enterprise software. It’s more of a iWork thing you dig? They ain’t ready for proper SharePoint, and they kinda are shy about admitting they use it to track super secret product specs and so on. Of course if they were serious about all those rumour sites, they’d have some IRM or whatever.

Note: It should be obvious, but the above is a lame attempt at humour. I’m not serious about the above statements, this is a fictitious scenario! :)

That’s it! That’s all we need to demonstrate the multi tenancy features of SharePoint Server 2010. This example scenario is shown below (click the image to view at full size):

sample sceanario

What does Multi Tenancy bring to the party?

Before we start looking at how to set up all this goodness let’s take a tour through the capabilities offered by the various components of a multi tenant SharePoint 2010 deployment.


People Picker

Once we configure a Site Subscription with the appropriate OU in Active Directory, we can only search for and view the users in that OU hierarchy:

14-06-2010 02-06-11 Microsoft People Picker

14-06-2010 02-06-50 Oracle People Picker

Just to prove the point, here is the Apple people picker searching for “MS” which of course matches the five users in AD, but they are not displayed to the Apple site subscription:

14-06-2010 02-08-46 Apple People Picker

This seems simple, and it is, but it’s very important. Not being able to see other customer’s users is paramount to any multi tenant system. This underlines the importance of designing your AD implementation appropriately.



Tenant Administration

If we wish we can deploy a Tenant Administration site, which allows our customers to manage their own settings and create site collections.

14-06-2010 01-17-53 Tenant Admin Home Page

14-06-2010 01-18-41 Manage Site Collections

14-06-2010 01-19-11 New Site Collection

By deploying Tenant Admin sites for our customers, we can allow them to manage their own settings and create sites without calling us. All of these actions will be constrained by settings we configure at the Farm level. As it’s just a site collection, tenant administration is fully extensible. There is significant scope for additional functionality in here depending on what you wish to allow tenant admins to do in your deployment.



Feature Packs

Feature Packs allow us to assign certain features to tenants. This is extremely powerful. In this example I map the three customers to the three “SKUs” of SharePoint. We can be much more granular than this, but this is the classic example.

Take a look at the tenant admin site for Microsoft again, this time focusing on the System Settings area:

14-06-2010 01-24-40 Microsoft Tenant Admin

Compare that to the Tenant Admin site for Apple:

14-06-2010 01-26-49 Apple Tenant Admin

Because the Apple Site Subscription has the SharePoint Foundation features mapped using a Feature Pack, they don’t have options for InfoPath, Metadata, User Profiles, and so on. Note that not all features are feature pack aware!! You will see InfoPath options available to both Standard and Enterprise feature packs.

Feature packs are much more useful than just for admin settings though. Check out the Site Collection features of a Apple Member Site:

14-06-2010 01-30-22 Apple Member Site Features

Not much happening in here, lets add a Web Part to the home page:

14-06-2010 01-31-39 Apple Add Web Part

Compare that to those for the Oracle (Standard) sites:

14-06-2010 01-33-31 Oracle Add Web Part

Here’s the new site collection page for Microsoft (Enterprise):

14-06-2010 01-34-52 Microsoft new Site Collection

And here’s the same page for Oracle (Standard):

14-06-2010 01-36-25 Oracle new Site Collection

Pretty sweet huh? All we’ve done is assigned feature packs to customers, no heavy lifting to control which features are available to different customers in the same farm (they are in the same web application). I know a few large enterprises who are salivating at the prospect.



Managed Metadata (MMS)

Managed Metadata is uber cool. One of the best bits of new stuff in SharePoint 2010. And it works flawlessly in multi tenant deployments. When we deploy Managed Metadata in partition mode, it cannot be managed thru Central Admin. Our combo box of Service Application Proxies will be empty:

14-06-2010 01-41-08 CA Term Store Management

However if we manage the Term Store from any Member Sites we will get effectively a different Term Store for each customer. Microsoft are big on changing the name of a product every few years, so they are using MMS for keeping track of them:

14-06-2010 01-44-14 Microsoft Term Store Management

Oracle on the other hand are not into innovative branding exercises and are busy buying every software company on the planet:

14-06-2010 01-46-51 Oracle Term Store Management

Apple don’t really have a need for Managed Metadata, they are simply a toy company. Of course these term sets are available in member sites as managed metadata columns and so on. It all just works, but the important thing is that Oracle can’t see Microsoft’s terms and vice versa. The data is partitioned, but stored in a single service application and database. Sweet! :)

But wait, there’s more. On a per customer basis we can configure a Content Type Gallery and consume Content Types in member sites:

14-06-2010 01-50-53 Microsoft Content Type Publishing

14-06-2010 01-51-25 Oracle Content Type Publishing

Now that, you have to admit is pretty nice. When we configure MMS as partitioned, our Content Type Hub option in the Service Application Properties disappears, as a “global” value no longer makes sense. We configure the Content Type Gallery on a per tenant basis.



Business Data Connectivity (BCS)

Next up is BCS – we can partition this bad boy. Once again, when we do we can no longer manage it via Central Administration:

14-06-2010 01-55-35 CA BCS Management

But once again, when we manage it from Tenant Admin, we can see the BCS data for that tenant only:

 14-06-2010 02-00-47 Microsoft BCS Management

14-06-2010 01-59-54 Oracle BCS Management

14-06-2010 02-02-31 Apple BCS Management

Yup, even Apple uses BCS – they need to keep track of other company names they are about to steal, so they track this in a flat file on a Unix server and use BCS to surface it into SharePoint!

Nice! BCS seamlessly and securely working across multiple customers in the same application.



Secure Store Service (SSS)

BCS is all very well, but most of those nasty legacy systems that underpin your business likely don’t do Windows Authentication, or some snazzy “new” claims based chunk of XML goop. Even if they did support Windows AuthN, how likely is it your internet users are gonna be doing Kerberos? Thought so. That’s where SSO comes in. This can also be partitioned. Once we deploy it we must create a Encryption key before Tenant Admins can create applications. We do this as normal in Central Admin, but notice the other buttons are disabled:

14-06-2010 02-15-17 Central Admin SSS Management

Customers can create their own isolated applications from Tenant Administration:

14-06-2010 02-16-49 Microsoft SSS Management

14-06-2010 02-17-12 Oracle SSS Management

See the trend here? Good isn’t it?!



SharePoint Server Search

Search (“regular” SharePoint Server Search, not that FAST fanciness) can also be partitioned. There is no Tenant specific settings for Search. We don’t even need to add our host named site collections to the content source manually anymore (SP2010 fixes this automatically).

14-06-2010 02-21-14 Edit Content Source

As long as the web application hosting our host named site collections is in the content source, (it is by default) everything just works.

Here we are in a Microsoft member site searching for “lorem”:

14-06-2010 02-23-07 Microsoft Search Results

The same search in a Oracle member site returns no hits:

14-06-2010 02-23-38 Oracle Search Results

Poor old Apple only have Foundation so they can only search within the current site:

14-06-2010 02-24-11 Apple Search Results

Search results returned are based upon the site subscription, we will never see hits from another customers corpus, even though there is a single content source. There is some more search related multi tenant magic, but that will be a topic for a future post.



User Profiles (UPA)

All those cool new “web 2.0” social features in SharePoint 2010 rely on the UPA. UPA can be partitioned and when it is, we see a subset of the capability in Central Administration:

14-06-2010 02-28-57 Central Admin UPA Management

Notice far less options, more on that in a bit. We have two tenants displayed – Microsoft and Oracle. We also have an audience automatically created for each customer. From here we can configure things that make sense “globally” to the farm, such as Synchronization Connections and schedules.

The real magic happens in the Tenant Administration:

14-06-2010 02-31-44 Microsoft UPA Management

Notice 7 profiles and we can configure other social related settings here on a per tenant basis.

14-06-2010 02-32-09 Oracle UPA Management

This time with 5 profiles.

This is extremely powerful. Whilst the basic social features are trivial, the User Profile Synchronization configuration allows us to have a single OU for each customer. Similar to Search we only need one Sync Connection which is configured globally, but we can have different property mappings for user profiles for each customer. Indeed we can even choose to do a different direction on a property. Perhaps Microsoft do Sync, whereas Oracle do plain import. We can also configure My Sites for each customer, all within a single Web Application, or if we need to for scale reasons on different ones.

Partitioned UPA is a very, very impressive capability.


Wrap Up

Hopefully this quick tour of the various multi tenancy capabilities in SharePoint Server 2010 has wet your appetite, it really is a very exciting area. In the next installment I will finally show you the money, and take you through configuring the base infrastructure for multi tenancy on SharePoint 2010. Stay tuned!