As a multi-tenant service offering, the Mosaic Platform gives you the ability to
maintain a list of
tenants (based on your contract). For each
tenant that you own, you are assigned the role of a tenant administrator and
gain access to maintain any number of environments within those tenants. In this
tenant refers to a grouping of environments.
To perform any environment administration tasks, you can use the Environment Administration Portal. Using the same portal, you may also introduce more tenant Administrators when needed.
Within each environment you maintain, you can
enable the Managed Services you
want to use, and
disable them when you no longer plan on using those services.
The Core Services, however, are mandatory for each environment.
They are enabled automatically during environment creation and cannot be disabled
You can create, maintain, and delete environments in the Environment Administration Portal.
All resources which are generated within the Mosaic Platform have an environment-level isolation. The diagram below visualizes the relationships of some of the top-level entities to an environment.
For example, the same user with the email address
firstname.lastname@example.org may exist in the
ABC, as well as in the environment
XYZ as we maintain storage isolation
per environment. They would never conflict with each other.
The records which are created by the user
email@example.com (i.e. an uploaded image)
in the environment
ABC are not visible to the same user in environment
Once you enable a managed service for an environment, the service starts accepting
requests from that environment (originating from a
User or a
The requests can take multiple forms. These could be HTTP requests if they are,
for example, invoking a service’s GraphQL endpoint. It could also be a RabbitMQ
message posted to an exchange when using asynchronous messaging to make the requests.
However, the URL endpoints of these Managed Services always remain the same (as they
are multi-tenant aware services), and you do not receive new URLs for each managed
service that is enabled for an environment.
Therefore, each managed service considers the contents of the
to every request to decide if the request should be honored or not. For example,
access-token with the below JWT is sent to a managed service, the service
first checks if the
environmentId present in the payload represent
an environment where the specific service is
If this first check is successful, then the already mentioned environment isolation
logic kicks in on the persistent storage of the service. The data records belonging
to the specific
environmentId are isolated and made available to be
accessed by the request.