Skip to main content

Aserto Tenants

The tenant provides the unit of scoping and isolation for the artifacts that are managed by Aserto - connections, policies, directory, and decision logs.

There are two types of tenants:

  • Account (or Personal tenant): when you sign up for Aserto, you get a free account. An Account is a full tenant, with one restriction: you can't invite others to collaborate with you.
  • Organization: a tenant which has at least one owner, who can invite other collaborators. Organizations can have an unlimited number of owners, admins, members, and viewers. This type of tenant is suitable for production workloads that require collaboration.

You can think of an account just like a GitHub account, and an organization just like a GitHub organization.

Tenant ID

Each of Aserto's hosted APIs requires a Tenant ID (expressed as a UUID), and is provided as the value of the Aserto-Tenant-ID header.


Aserto manages the following artifacts for each tenant:

  • Policy Images: binary (OCI) images that are built from policy source files, usually sourced from a git repository.
  • Policy Instances: named instances of a policy image, which can be bound to Topaz instances and transparently distributed when the policy changes. Each policy instance also has a running hosted authorizer associated with it, which can be used to evaluate authorization decisions without having to deploy a local Topaz instance.
  • Directory: the subjects (users, groups) that Aserto has synched from one or more connected identity providers, as well as any custom objects and relationships that are stored centrally and can be transparently distributed to Edge Authorizers.
  • Decision logs: each policy instance include the aggregated decision logs that are gathered from the Topaz instances which are configured for that policy instance.
  • Edge authorizers: a Topaz instance can register with the Aserto Control Plane and become an Edge Authorizer, which means that it automatically receives its policy and directory data from the tenant, and sends its decision logs back to the Control Plane.
  • Connections: connections to external systems such as source code control systems and identity providers.