Multi-tenant authorizationI-multi-tenancy, yonke umnqweno (isib. i-akhawunti okanye i-organization) isebenza kwi-environment eyahlukileyo, enokufuneka i-access controls ezizodwa ezisetyenziselwa i-user roles ezithile kwi-environment yayo.
Enye indlela efanelekileyo yokusebenza i-multi-tenant authorization yi-combining itI-Role-Based Access Control (i-RBAC). I-RBAC ivula ukulawula ukufikelela ngokuphathelisa abasebenzisi iirolophu ezidlulileyo ezinikezela iziqinisekiso zayo kwi-environment.
I-Role-Based Access Control (i-RBAC)I-RBAC kuphela ihamba iingxaki ezintathu eziphambili njengoko i-applications zihlala kwaye zinxibelelana neengxaki ezininzi ze-fine-grain:
- Ukungafani kwama-rolls (akukho i-attributes kunye ne-relationships), i-RBAC ingabikho kwi-granularity.
- Iimpawu zayo ze-static ziyafumaneka kwimfuneko yokuphakamisa kwimali ezininzi.
- Xa izicelo zithunyelwe, inani lwezigulane kunokuba lithunyelwe, okwenza i-"Role Explosion".
imulti-tenant RBAC modelisixeko eziyiqhagamshelwano ngokucophelela ukusuka kubasebenzisiper tenantUkuvunyelwa kwe-Role Assignments kunye ne-Permissions kwi-Environments e-Isolated. Ngaphandle kokuVavunyelwa kwe-Role ye-Global ye-User, ukuvunyelwa kwe-Role ye-User kuxhomekeke kumnandi wayo kunye ne-Role ebonakalayo kumnandi wayo.
Here’s a quick example of when this can be useful:
Ndicinga i-SaaS project management platform apho abasebenzisi ziquka iinkonzo ezininzi, zonke kunye nezinqanaba ezahlukileyo ze-access:
I-user ingaba i-admin kwi-one organization kunye ne-control epheleleyo, kwaye kuphela i-editor kwi-other, eyahlukileyo ukuguqulwa kwimeko kodwa ayikwazi ukulawula abasebenzisi.
Ndicinga i-SaaS project management platform apho abasebenzisi ziquka iinkonzo ezininzi, zonke kunye nezinqanaba ezahlukileyo ze-access:
I-user ingaba i-admin kwi-one organization kunye ne-control epheleleyo, kwaye kuphela i-editor kwi-other, eyahlukileyo ukuguqulwa kwimeko kodwa ayikwazi ukulawula abasebenzisi.
I-RBAC ye-multi-tenant ibonelela ukuba iziqinisekiso zithunyelwe kwi-environment efanelekileyo ngaphandle kwe-complexity engapheliyo.
Kule nqakraza, siya kuthatha iimportance of Multi-Tenant Authorizationkwaye ibonisa indlela yokusetyenziswa ngempumelelo usebenzisaIimveliso.
IimvelisoUya kuxhomekeke indlela yokucubungula iinkqubo, ukuxhaswa izigulane ngalinye, kunye nokulawulafine-grained permissions.
Ndiyathanda ku.
Yintoni i-Multi-Tenant Authorization ibalulekile?
I-Multi-tenant authorization iyasetyenziswayo kwi-applications apho abasebenzisi afanelekileyo kwi-multi-independent environments, zonke iinkqubo zayo zazo zazo zazo zazo zazo zazo zazo zazo zazo ezininzi zazo zokusetyenziswa kwi-cloud.
Ukusetyenziswa kwimeko eziluncedo
Nge-multi-tenancy, zonke abasebenzisi bangathola indlela elilinganiselwe yokulawula ukufikelela ngokuxhomekeke kwinqanaba yayo. Njengoko umasebenzisi ingaba iindlela ezahlukeneyo kunye neengxaki phakathi kwinqanaba ezahlukeneyo, ukusetyenziswa kwe-multi-tenancy ibonelela le iingxaki kufuneka zihlawulwe kwaye zihlawulwe ngokufanelekileyo.
Ukusetyenziswa kwe-multi-tenant authorization kunceda ukugcina iinkcukacha ezininzi phakathi kwizixeko kunye nokuphepha ukuba abasebenzisi ziyafumaneka izigulano ezifanelekileyo ngaphakathi kwizixeko ezininzi.
Umzekelo: Acloud storage platformapho ngamnye abathengi (umthengisi) ibhekwa idatha sensitive. Kubalulekile ukulawula ukufikelela ngokugqithisileyo ukuze umxhasi omnye umxhasi awukwazi ukubonisa okanye ukuguqulwa idatha omnye.
Kodwa ngoko ke akayi kuthetha oku kuphela nge-RBAC?
Yintoni i-RBAC ye-traditional ayidinga ukuba i-Multi-Tenant Authorization
Ukubhatheleka kakhulu malunga neengxaki ze-RBAC. Xa usebenzise izicelo ekukhiqizeni, i-RBAC inokufumaneka ukuba i-rigidity kakhulu kwaye inokufanelekileyo kakhulu ukuze ifakwe. Makhe ukucacisa kwi-aspekti ze-multi-tenancy inokufumaneka:
-
Static Roles Don't Scale Across Tenants:
In a traditional RBAC implementation, roles usually apply globally across an application.This means a user assigned an Editor role might have access to edit all resources, even across tenants where they shouldn’t have permissions.
This problem can present itself as simply as:
A project management app where a user is an Editor in one team but should only have Viewer access in another.
Multi-Tenant RBAC allows roles to be scoped per tenant, so a user can be an Editor in one organization and a Viewer in another without unnecessary role duplication. Speaking of role duplication -
-
The Role Explosion Problem
A basic RBAC model can start simple: Admin, Editor, Viewer. As more users and resource types are introduced, a role explosion can occur. If we take our previous example where a single user needs to be an Editor in one team but a Viewer in another, you can easily end up with something like this:
Editor_TeamAEditor_TeamBViewer_TeamAViewer_TeamB- … and so on for every additional team / potential tenant.
This makes the system hard to manage and difficult to update without breaking access rules.
Multi-Tenant RBAC removes the need for tenant-specific roles by dynamically assigning roles within each tenant instead of hardcoding them.
-
Multi-Tenant Authorization Requires Granularity
RBAC is often too restricted when handling permissions at a granular level. It typically lacks built-in mechanisms to define resource-level or conditional access policies.
Think of this policy:
"Editors can only modify their own photos"
How simple is that? The thing is - there’s no way RBAC can support such a policy without implementing additional logic. Especially at scale.
I-project management app apho usebenzisa iEditorkwi-team enye, kodwa kufuneka kuphelaViewerukufikelela kwakhona.
"I-editor iya kubhalwe kuphela iifoto zayo"
Ngaphambi kokufunda kwimveliso kunye neempawu ezilungileyo, siphinde iimodeli ezininzi ezisetyenzisiweyo ze-multi-tenancy:
Iimodeli eziqhelekileyo ze-multi-tenant
I-Multi-tenant authorization ifumaneka kwiintlobo ezininzi zokusetyenziswa. Nazi ezinye izindlela ezininzi zokusetyenziswa kwi-tenant:
- I-Accounts – Isetyenziswa kwizicelo ze-SaaS zokusetyenziswa, apho zonke abasebenzisi ziquka kwi-akhawunti eyahlukileyo (isib. Google Drive, Dropbox).
- I-Organizations - I-Common in Business Applications, apho inkampani (i-Organization) ine-user ezininzi kunye neendaba ezahlukeneyo (isib. Slack, Notion).
- Iingxowa – Iingxowa ezisetyenziswayo, apho abasebenzisi zihlanganiswa ngokusekelwe nezidingo zokuhamba (isib. Iingxowa zeGitHub, iinkalo zokusebenza zeprojekthi).
- Franchises - Kwiinkqubo apho iimveliso zokusebenza phantsi kwimodeli ye-franchise, yonke i-franchise isebenza ngokufanelekileyo kodwa ibandakanya isakhiwo se-central (isib. i-restaurant management systems).
Zonke iimodeli zezi zitholakala kwi-Multi-Tenant authorization ukuze kuqinisekiswe ukujongana okufanayo kunye neengxaki ze-roll-based ngalinye umncedisi.
Ukuphendula izinzuzo ze-multi-tenant authorization, siza kuqhagamshelane nokusebenza.
Iimeko ezilungileyo yokwenza i-Multi-Tenant Authorization
Strategy efanelekileyo ukulawula iingxowa, iziqinisekiso, kunye nokunyuka kwiimeko eziluncedo kwi-multi-tenant applications.
Ukulungiselela i-Multi-Tenant Authorization Strategy yakho
Ngaphambi kokufumana ukuvelisa nayiphi na ingxaki, kubalulekile ukucwangcisa njani imodeli yakho ye-multi-tenant. Izixhobo kuyinto ukuqinisekisa ukuba zonke abathengi bafumaneseparate, manageable access controlsKuba abasebenzisi yayo. Nazi iimpawu ezininzi ezibalulekileyo kufuneka uqhagamshelane ukuba usebenzisa imodeli RBAC:
- I-Users: I-Individual Accessing the System. Umntu omnye angafumaneka kwi-multiple tenants.
- Abalandeli: Izilinganiso ezahlukileyo apho abasebenzisi abasebenza (Like i-akhawunti, i-organization, okanye i-workspace).
- I-Roles: Izinga le-permissions ezidlulileyo ziye zithunyelwe kubasebenzisi kwizithuthi.
- Izixhobo: Iimpawu (isib. iifoto, iidokhumenti) eziqhagamshelane nabasebenzisi, eziqhagamshelane yi-permissions.
- Iingcebiso: Iingcebiso ezijongene iingcebiso ezidlulileyo ezidlulileyo ezidlulileyo kwi-Roles.
Ukusetyenziswa ngexesha elandelayo, unako ukwakha aflexible and scalableinkqubo ye-authorization eyenziwe ngexabiso lomsebenzisi bakho.
Ukulungiselela izicelo ze-multi-tenant
ukususela asingle user can exist in multiple tenantsinkqubo kufuneka ukuqinisekisa:
- I-Role Assignments is per tenant - Iimvuzo ye-user kufuneka ifakwe kwi-tenant yayo elifanelekileyo.
- Izixhobo ziquka kumnandi - Izixhobo ziquka kumnandi eyodwa.
- Ukuhlolwa kwe-permissions ngokugqithisileyo – Xa umdlali uthetha isicelo, i-system ibonise ubungakanani wayo kwinqanaba kunye ne-proprietary ye-resource.
Ukuqhathanisa i-Multi-Tenant Authorization: Ukuqhathanisa i-Schema kwi-Data
Iingxaki esebenzayo kwiinkqubo ze-multi-tenant kuyinto ukulawula njaniroles and policiesKwiinkqubo ezivamile, iingxowa kunye neengxowa zihlanganisa ngempumelelo kunye neendatha ze-application. Oku kunokwenza iziphumo xa iingxowa kufuneka ukuguqulwa, njengoko ungenza ukuhlaziywa zombinirole assignmentYintoniapplication dataYintoni.
Ukuze optimize ukuze scalability:
- I-Storage i-rolls, i-assignments, kunye ne-polices kwi-system ye-authorization ekhethekileyo (njenge-Permit.io), kwaye i-Data ye-application ifumaneke kwi-logic ye-authorization.
- Ukunciphisa le nkqubo, unako ukuhlaziywa iirolophu okanye iziqinisekiso ngokugqithisileyo ngaphandle kokuhambisa idatha core okanye ibhodi ye-code ye-application.
Ukusebenzisa Umgangatho Olandelayo Wonke - I-DPP (Policy Decision Point)
Enye ingqondo ebalulekileyo ekuphuculeni i-multi-tenant authorization isebenzisa asingle source of truthUkuthatha iingxaki zopolitiki.
Kwimeko yokubhalisa iinkcukacha zokusetyenziswa kunye neengxaki zokusetyenziswa kwinkcukacha zokusetyenziswa kwinkonzo okanye kwinqanaba lomsebenzisi, iI-Political Decision Point (iPDP)isebenza njenge-central point apho zonke izixazululo ukufikelela zithunyelwe.
I-Political Decision Point (iPDP)
Benefits of using a PDP:
- Ukuxhaswa: I-DPP ibonelela ukuba zonke iinkonzo kwi-application zihlanganisa iinkqubo ezininzi ekubeni izixazululo ze-authorization.
- Ukucaciswa kwePolicy yeDynamic: Ukuguqulwa kwePolicy okanye i-Role Assignments kufuneka ifakwe kuphela kwindawo eyodwa, i-DPP. Le centralization ukunciphisa ukuba kufuneka ifakwe iindawo ezininzi kwi-codebase okanye i-databases yakho.
- Ukunciphisa i-Risk of Error: Ngokufumaneka kwiphakamiso esisodwa, esekelwe, ukunciphisa ingozi yeengxaki zeengxaki kwiinkonzo ezininzi kunye neengxaki.
Ukwandisa i-RBAC nge-Relationship-Based Access Control (i-ReBAC)
NangonaRBACinikeza isakhiwo eshushu ye-multi-tenant authorization, kukho iiscenari aphoUkulawula ukufikelela kwi-Relationship-Based Access Control (ReBAC)inokukwazi ukunika i-access control ephakeme kakhulu.
Ukulawula ukufikelela kwi-Relationship-Based Access Control (ReBAC)I-RBAC ibonise iingcebiso ngokuxhomekeke kumadoda eyenziwe kubasebenzisi, kodwaReBACithatha ngexesha elandelayo ngokufanisa izicelo ezisekelwe ku-relationshipsinkxaso kunye nabasebenzisi. Oku kubasetyenziswa ngokukodwa kwimeko apho izigulano zihlanganisa indlela izigulano zihlanganiswa okanye zihlanganiswa.
Umzekelo: Adocument management systemXa umdlali unayo ukufikelela afolder, kwaye le ifolda ibandakanya iidokhumenti ezininzi. Nge-RBAC, kufuneka ufakele iingoma ezifanaFolder EditorokanyeDocument ViewerKwakhona, kunyeReBACUyakwazi ukucacisa oku ngokucacisa:
"Umsebenzisi uyavumelana ukuguqulwa i-document ukuba bafumane i-editor ye-mapping ebonakalayo."
"Umsebenzisi uyavumelana ukuguqulwa i-document ukuba bafumane i-editor ye-mapping ebonakalayo."
Ngokwenza oku, iingxaki ezininzi zokusetyenziswa kunye ne-context-sensitive ngaphandle kokubili iingxaki kwi-resource ngamnye.
Benefits of ReBAC:
- I-Contextual Permissions: Inikeza ukulawula ukufikelela ngokuxhomekeka kwezilwanyana (isib. Umdlali owenziwe kwiprojekthi, yaye ngoko unokufumana zonke iimveliso ezihambelana).
- Ukunciphisa i-Role Explosion: Unemfuneko yokwenza i-rolls yeenkcukacha zonke iintlobo ze-user kunye ne-resource, njengoko i-relationships inokufuneka i-access ngokugqithisileyo.
Ukwandisa i-RBAC kunye ne-ReBAC, unako ukulawulacomplex access control scenariosapho izilwanyana phakathi kwabasebenzisi kunye neengxaki zithintela izigulano.
Ukusebenza Multi-Tenant Authorization ngeIimveliso
IimvelisoPermit.ioinikeza indlela efanelekileyo yokuvelisa i-multi-tenant authorization ngokuvumela ukuba ufumane iingoma, iinkqubo kunye neengoma zokusebenzisa kwiimeko ezahlukeneyo.
if (user.role == admin && user.tenant == resource.tenant) {
return true;
}
I-Traditional kunye ne-Static if Ukucaciswa kweMulti-tenancy.
const permitted = await permit.check(user, "read", {
resource: "document",
tenant: "default"
});
if (permitted) {
return true;
}
Ukukhanyisa permit.check() umsebenzi elawula multi-tenancy RBAC.
Nazi ingxelo elikhulu malunga ne-multi-tenant RBAC authorization kungenziwa ku-Permit.io:
- Define Roles, Resources, and Actions: To get started, first define your resources (e.g., documents, photos, tasks) and the actions that can be performed on them (e.g., create, read, update, delete).
- Add a new resource (e.g.,
blog) to represent the type of object you want to control access to. - Specify the resource's key, which will be used in your API calls.
- Define the actions users should be able to perform on the resource (e.g., create, read, update, delete).
- The screenshot shows an example where
blogis the resource, and actions are defined for it.
- Add a new resource (e.g.,
-
Define the Access Control Policy:
You’ll specify what actions each role can perform on each resource. For example, in the screenshot, roles like admin, public, and Writer are defined, and the policy is set up to specify which actions are permitted for each role.
-
Define the Tenants in the Directory:
Each tenant can have its own set of roles, permissions, and policies.
To create tenants:
- Go to the Directory screen and click on Settings.
- Define the tenants you need (e.g., Tenant 1, Tenant 2, etc.).
Create Users and Assign Roles:
Once the tenants are defined, you can create users and assign them roles specific to each tenant. This ensures that the same user can have different roles in each tenant, depending on what permissions they need.
To create a new user:
-
Click Add User in the Directory screen.
-
Assign the user a unique key and other user details (e.g., email, first name).
-
In the Permissions Per Tenant section, you can assign the user roles specific to the tenant to which they belong.
For instance, the user could be an Admin in Tenant 1 and a Writer in Tenant 2, as shown in the screenshot:
Ngiya, sinokufumana bonke abasebenzisi bethu kunye neengoma eziquka kwinqanaba ngamnye abalandeli abalandeli:
Zonke izinzuzo zokusebenzisa i-Permit.io ye-multi-tenant authorization zihlanganisa:
- Ukulawulwa kwePolicy yeCentralized: Ukuqhathanisa kunye nokulawula zonke iintlawulo zakho ze-autorization kunye nePolicy ukusuka kwi-platform ye-centralized. Ngokwenza oku, ukunciphisa iintlawulo zePolicy kunye nokuphepha ukuxhaswa okuqhubekayo kwimali yakho.
- I-Role-Specific Assignment (I-Role Assignment) I-Role Assignment (I-Role Assignment) I-Role Assignment (I-Role Assignment) I-Role Assignment (I-Role Assignment) I-Role Assignment (I-Role Assignment) I-Role Assignment (I-Role Assignment) I-Role Assignment (I-Role Assignment) I-Role Assignment (I-Role Assignment) I-Role Assignment (I-Role Assignment) I-Role Assignment (I-Role Assignment) I-Role Assignment (I-Role Assignment) I-Role Assignment (I-Role Assignment) I-
- I-Fine-Grained Permissions: Ukusetyenzisa iingcebiso ezininzi kwi-resource ngamnye kunye nokulawula iingcebiso ze-Fine-Grained ezinxulumene ne-attributes okanye i-relationships) ngaphandle kokufuna i-logic eyongezelelweyo ye-custom.
- Ukusetyenziswa kwe-ReBAC: I-Permit.io ibandakanya i-RBAC ye-traditional kunye ne-ReBAC, okuvumela ukucacisa izigulano ezisekelwe kuphela kwi-rolls ye-username, kodwa nangokuxhomekeke kwi-relationship phakathi kwizilwanyana kunye nama-resources. Oku kubalulekile ngokukodwa xa ufuna izigulano ze-contextual, njenge-akwazi ukufikelela kwizilwanyana ngokufanelekileyo kwi-organisational structure okanye i-hierarchies zayo.
Ukubalwa: Multi-Tenant Authorization kunye RBAC
Kule nqaku, sincoma ukubaimportance of multi-tenant authorizationIndlela yokufaka ngeRole-Based Access Control (RBAC)inikeza ukulawulwa okufanelekileyo kunye nokunyuka kwizilwanyana abasebenzisi kwiimeko eziluncedo.
I-RBAC yokuzonwabisa iingxaki ze-traditional RBAC kwi-multi-tenant applications kunye ne-Multi-Tenant RBAC yokusombulula iinkcukacha ezifana neengxaki ze-static, i-role explosion, kunye ne-fine-grained access control.
Nge-multi-tenant authorization, yonke umnqweno unokufumana i-access control yayo yayo yayo, ukunika ukuba abasebenzisi akwazi ukufikelela kuphela kwimeko yayo ziye ziye ziye ziye ziye ziye ziye ziye ziye ziye ziye ziye ziye ziye zibe.
Permit.ioUyakwazi ukuvelisa i-autorization ye-multi-tenant ngexesha elula kakhulu, ngenxa yokulawula kwinkqubo ye-centralized, ukulawula i-role-assignment ye-tenant-specific, i-permissions ye-fine-grained, kunye ne-support ye-Relationship-Based Access Control (ReBAC).
What’s Next?
- Khangela i-Documentation ye-Permit.io ukuqala ukuvelisa i-multi-tenant authorization kwi-application yakho.
- Qhagamshelana neCommunity yePermitt.io ukuxhumana neempawu ezilungileyo kunye nokufumana inkxaso.
