# Tenant administration

{% hint style="info" %}
The user administration may differ if using [Single Sign-On](/identity-and-access-management/single-sign-on.md).
{% endhint %}

This guide provides guidance and recommendations on how to set up Spark user groups, users, and API keys.

* This content mainly relates to the pages [Manage users](/tenant-administration/manage-users.md) and [Authorization - API keys](/spark-apis/authorization-api-keys.md).
* Please read our [Get started in 5 minutes](/getting-started-in-5-minutes.md) page before using this guide.

## Relevant Spark terminology

* First check if your tenant has been set up as a [Private tenant](/tenant-administration/private-tenant.md). This is denoted in the [Navigation menu](/navigation/navigation-menu.md#user-menu).
  * In a Shared tenant, all users have access to all folders and services within a tenant.
  * In a [Private tenant](/tenant-administration/private-tenant.md), users have restricted access to folders and services:
* After an Excel file has been uploaded to Spark and the logic is converted to code, it is referred to as a service.
* Folders are used to organize multiple services together.
* User permissions can be applied to the folder level.

## Add customized user groups

{% hint style="info" %}
This is only relevant if your tenant has been set up as a [Private tenant](/tenant-administration/private-tenant.md).
{% endhint %}

An organization may contain different teams who should have separate access to services in Spark. Some examples could include:

* Finance team and marketing team manage calculation and logic.
* American and Canadian branches of an organization.
* A research team working on a sensitive project.
* An audit team that needs only `read` permissions.

If your tenant has been set up as a [Private tenant](/tenant-administration/private-tenant.md), separate user groups can be created to separate access different groups of users.

1. Follow the steps in [Manage users](/tenant-administration/manage-users.md#add-user-groups) to create the relevant user groups representative of the organization. Custom user groups must begin with `user:`. Examples could include: `user:audit`, `user:canada`, `user:finance`.

## Add tenant administrators

You will likely need to have multiple tenant administrators who can also manage [Active services](/tenant-administration/active-services.md), [Authorization - API keys](/spark-apis/authorization-api-keys.md), [Manage users](/tenant-administration/manage-users.md#user-groups), and[Manage users](/tenant-administration/manage-users.md#users).

1. Follow the steps in [Manage users](/tenant-administration/manage-users.md#add-users) and create an account for the other tenant administrators.
   * These accounts should be created with membership in `user:pf` and `tenant-admin` user groups.
   * If this is a [Private tenant](/tenant-administration/private-tenant.md), it is recommended that all `tenant-admin`s are also added to the `supervisor:pf` user group. This enables `tenant-admin`s to see all the folders within your tenant. This is not enabled by default.

## Add supervisor users

{% hint style="info" %}
This is only relevant if your tenant has been set up as a [Private tenant](/tenant-administration/private-tenant.md).
{% endhint %}

There may be a need for intermediate-level users who don't have tenant administrator privileges but can manage all folders on a tenant. In this case, supervisor users can be created. This could for example be where an IT team is responsible for account administration and a team leader needs to be able to manage different folders in Spark.

1. Follow the steps in [Manage users](/tenant-administration/manage-users.md#add-users) and create an account for supervisors.
   * These accounts should be created with membership in `user:pf` and `supervisor:pf` user groups.

## Add additional users

1. Follow the steps in [Manage users](/tenant-administration/manage-users.md#add-users) and create an accounts for Spark users.
   * All users must be members of `user:pf` to login to Spark.
   * If this is a [Private tenant](/tenant-administration/private-tenant.md), users can also be assigned to the user groups added earlier.
2. Tell teams about this [user guide](https://docs.coherent.global/) and [Coherent Academy](https://coherentacademy.coherent.global/)!

## Add folders with specific permissions

{% hint style="info" %}
This is only relevant if your tenant has been set up as a [Private tenant](/tenant-administration/private-tenant.md).
{% endhint %}

1. If user groups have been created in the previous step, it may help to initialize working folders for the organization with different permissions.
2. Follow the steps in [Home](/navigation/home.md#add-a-new-folder) to create additional folders.
3. Follow the steps in [Private tenant](/tenant-administration/private-tenant.md#set-permissions-on-folders-via-api) to add the customized team groups and the appropriate permissions.
   * For example, this could be a *Finance projections* folder with permissions assigned to `user:finance` users.
   * Only add `user:pf` to a folder in a [Private tenant](/tenant-administration/private-tenant.md) if all users should be able to access this folder.

## Add API keys for calling Spark APIs

API Keys can be used to integrate with the [Execute API](/spark-apis/execute-api.md) and other management APIs in [Permissions - Features permissions](/spark-apis/authorization-api-keys/permissions-features-permissions.md).

* In Spark, you must create an API key group first.
* [Authorization - API keys](/spark-apis/authorization-api-keys.md#api-key-groups) can contain multiple [Authorization - API keys](/spark-apis/authorization-api-keys.md#api-key-instances).
  * A key instance would correspond to an API key that is used for authentication.
  * Multiple key instances are useful for managing key rotation, where the to-be-deactivated, expiring key and the next API key have an overlap for continuity.
* An API key group represents the combined access rights of multiple user groups.

Follow the steps in [Authorization - API keys](/spark-apis/authorization-api-keys.md#add-api-key-groups) to create the first API key group.

1. If this is a Shared tenant, we recommend making the initial API key one that can access all Spark services. Do so by assigning the user group `user:pf` to the API key group.
2. If this is a Private tenant, then assign the appropriate user groups created earlier.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.coherent.global/tenant-administration.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.