Tenant setup

Provision an IntelliPPM tenant — invite the first admin, choose a residency region, and wire SSO.

On this page

Before you start

A new IntelliPPM tenant is a fully isolated logical environment. Every record carries a tenant_id enforced by row-level security in the underlying Aurora cluster, every Kafka partition key namespaces by tenant, and every AI inference is metered and budgeted per tenant. Setup is mostly about choosing the right defaults at the moment those isolations are established — changing residency or root admin scope after the fact is possible but heavier than getting it right up front.

Step 1 — Choose a residency region

IntelliPPM supports per-tenant residency for Bridge and Silo plans. The region you pick controls where your event log, your feature store, and your AI inference endpoints live. The default for design partners is us-east-1, which is also where the bridge runtime currently operates. EU residency is on the roadmap for paid GA.

Step 2 — Designate the root admin

The root admin is the first identity invited into the tenant. They hold the org:admin role, can invite further admins, and own the break-glass path back into the tenant if SSO is later misconfigured. Pick a real human, not a shared mailbox — break-glass authentication flows require a personal MFA factor.

Step 3 — Configure SSO

IntelliPPM integrates with any SAML 2.0 or OIDC identity provider via Auth0 Enterprise (the identity layer is abstracted behind an Identity interface — see ADR-0020 for the migration path to self-hosted Keycloak).

For the design-partner program the simplest path is:

  1. Create a SAML application in your IdP pointing at the

IntelliPPM ACS URL provided in the welcome email.

  1. Map the email, given_name, family_name, and groups

claims into the tenant.

  1. Optionally configure SCIM provisioning for automated lifecycle.

Once SSO is verified the original invite-link admin can be retired to a break-glass-only account.

Step 4 — Confirm your tenant scope

Before adding portfolios, double-check the tenant scope you have provisioned matches your billing entity. A single legal entity typically maps to a single IntelliPPM tenant; multiple business units inside that entity map to portfolios within the tenant. Cross-tenant data sharing is not a supported pattern — it would violate R1 (tenant isolation) and R4 (data ownership).

Next

Continue to Your first portfolio.