When you added a tenant in the Deep Security Manager (DSM) under Administration > Tenants, the tenant creation failed. However, the tenant account name still appears in the T0 account as "Created", and you are unable to delete it.
Why tenant creation failed
The tenant creation failed because the database account does not have a dbcreator role.
The dbcreator role is not needed during initial DSM installation. However, for multi-tenancy, the dbcreator role in SQL is required for the database account used to connect to the Deep Security database. Without the appropriate db permission, tenant creation will fail and the tenant account will be in an orphaned state. It will appear in the T0 account as “Created”, but no new database is created for the tenant.
Why tenant account still appears
When you add a new tenant from the console, the tenant information is verified and inserted into the database first. The modified tables include tenants and tenanthistory. Afterwards, the DSM configures the new tenant by creating the corresponding tenant database. The two database transactions are done separately, thus the database creation failure will not cause a rollback of the tenant information that was added to the tenants table.
Why tenant account cannot be deleted
Because a tenant database does not exist, you cannot delete the tenant from the T0 account.
Workaround to delete tenant
As a workaround, do one of the following:
- Wait for the tenant account to be removed after approximately seven (7) days.
By design, the tenant can still be deleted from the console. It will be in “Pending Deletion” state for about seven (7) days, after which the database entry will be removed.During the "Pending Deletion" state, you cannot use the same tenant account name to create another tenant.
- Remove the tenant account directly from the database:
Run the following query on the SQL server:
DELETE FROM tenants WHERE name like 'name of the tenant to delete'
After the entry is removed from the database, you can create the tenant again using the same account granted with a dbcreator role.