I-multi-tenancy, yonke umnqweno (isib. i-akhawunti okanye i-organization) isebenza kwi-environment eyahlukileyo, enokufuneka i-access controls ezizodwa ezisetyenziselwa i-user roles ezithile kwi-environment yayo. Multi-tenant authorization Enye indlela efanelekileyo yokusebenza i-multi-tenant authorization yi-combining it . I-RBAC ivula ukulawula ukufikelela ngokuphathelisa abasebenzisi iirolophu ezidlulileyo ezinikezela iziqinisekiso zayo kwi-environment. I-Role-Based Access Control (i-RBAC) I-Role-Based Access Control (i-RBAC) I-RBAC kuphela ihamba iingxaki ezintathu eziphambili njengoko i-applications zihlala kwaye zinxibelelana neengxaki ezininzi ze-fine-grain: Ukungafani kwama-rolls (akukho i-attributes kunye ne-relationships), i-RBAC ingabikho kwi-granularity. Iimpawu zayo ze-static ziyafumaneka kwimfuneko yokuphakamisa kwimali ezininzi. Xa izicelo zithunyelwe, inani lwezigulane kunokuba lithunyelwe, okwenza i-"Role Explosion". i isixeko eziyiqhagamshelwano ngokucophelela ukusuka kubasebenzisi Ukuvunyelwa kwe-Role Assignments kunye ne-Permissions kwi-Environments e-Isolated. Ngaphandle kokuVavunyelwa kwe-Role ye-Global ye-User, ukuvunyelwa kwe-Role ye-User kuxhomekeke kumnandi wayo kunye ne-Role ebonakalayo kumnandi wayo. multi-tenant RBAC model per tenant Here’s a quick example of when this can be useful: Ndicinga i-SaaS project management platform apho abasebenzisi ziquka iinkonzo ezininzi, zonke kunye nezinqanaba ezahlukileyo ze-access: I-user ingaba i-admin kwi-one organization kunye ne-control epheleleyo, kwaye kuphela i-editor kwi-other, eyahlukileyo ukuguqulwa kwimeko kodwa ayikwazi ukulawula abasebenzisi. Ndicinga i-SaaS project management platform apho abasebenzisi ziquka iinkonzo ezininzi, zonke kunye nezinqanaba ezahlukileyo ze-access: I-user ingaba i-admin kwi-one organization kunye ne-control epheleleyo, kwaye kuphela i-editor kwi-other, eyahlukileyo ukuguqulwa kwimeko kodwa ayikwazi ukulawula abasebenzisi. I-RBAC ye-multi-tenant ibonelela ukuba iziqinisekiso zithunyelwe kwi-environment efanelekileyo ngaphandle kwe-complexity engapheliyo. Kule nqakraza, siya kuthatha i kwaye ibonisa indlela yokusetyenziswa ngempumelelo usebenzisa . importance of Multi-Tenant Authorization Iimveliso Iimveliso Uya kuxhomekeke indlela yokucubungula iinkqubo, ukuxhaswa izigulane ngalinye, kunye nokulawula . fine-grained permissions Ndiyathanda ku. Yintoni i-Multi-Tenant Authorization ibalulekile? I-Multi-tenant authorization iyasetyenziswayo kwi-applications apho abasebenzisi afanelekileyo kwi-multi-independent environments, zonke iinkqubo zayo zazo zazo zazo zazo zazo zazo zazo zazo zazo ezininzi zazo zokusetyenziswa kwi-cloud. Ukusetyenziswa kwimeko eziluncedo Nge-multi-tenancy, zonke abasebenzisi bangathola indlela elilinganiselwe yokulawula ukufikelela ngokuxhomekeke kwinqanaba yayo. Njengoko umasebenzisi ingaba iindlela ezahlukeneyo kunye neengxaki phakathi kwinqanaba ezahlukeneyo, ukusetyenziswa kwe-multi-tenancy ibonelela le iingxaki kufuneka zihlawulwe kwaye zihlawulwe ngokufanelekileyo. Ukusetyenziswa kwe-multi-tenant authorization kunceda ukugcina iinkcukacha ezininzi phakathi kwizixeko kunye nokuphepha ukuba abasebenzisi ziyafumaneka izigulano ezifanelekileyo ngaphakathi kwizixeko ezininzi. Umzekelo: A apho ngamnye abathengi (umthengisi) ibhekwa idatha sensitive. Kubalulekile ukulawula ukufikelela ngokugqithisileyo ukuze umxhasi omnye umxhasi awukwazi ukubonisa okanye ukuguqulwa idatha omnye. cloud storage platform Kodwa ngoko ke akayi kuthetha oku kuphela nge-RBAC? Yintoni i-RBAC ye-traditional ayidinga ukuba i-Multi-Tenant Authorization Ukubhatheleka kakhulu malunga neengxaki ze-RBAC. Xa usebenzise izicelo ekukhiqizeni, i-RBAC inokufumaneka ukuba i-rigidity kakhulu kwaye inokufanelekileyo kakhulu ukuze ifakwe. Makhe ukucacisa kwi-aspekti ze-multi-tenancy inokufumaneka: Static Roles Don't Scale Across Tenants: In a traditional RBAC implementation, across an application.This means a user assigned an role might have access to edit all resources, even across tenants where they shouldn’t have permissions. roles usually apply globally Editor This problem can present itself as simply as: A project management app where a user is an in one team but should only have access in another. Editor Viewer Multi-Tenant RBAC allows roles to be scoped per tenant, so a user can be an Editor in one organization and a Viewer in another without unnecessary role duplication. Speaking of role duplication - The Role Explosion Problem A basic RBAC model can start simple: . As more users and resource types are introduced, a can occur. If we take our previous example where a single user needs to be an Editor in one team but a Viewer in another, you can easily end up with something like this: Admin, Editor, Viewer role explosion Editor_TeamA Editor_TeamB Viewer_TeamA Viewer_TeamB … and so on for every additional team / potential tenant. This makes the system hard to manage and difficult to update without breaking access rules. by dynamically assigning roles within each tenant instead of hardcoding them. Multi-Tenant RBAC removes the need for tenant-specific roles Multi-Tenant Authorization Requires Granularity RBAC is often too restricted when handling permissions at a granular level. It typically lacks built-in mechanisms to define resource-level or conditional access policies. Think of this policy: "Editors can only modify their own photos" How simple is that? The thing is - there’s no way RBAC can support such a policy without implementing additional logic. Especially at scale. I-project management app apho usebenzisa i kwi-team enye, kodwa kufuneka kuphela ukufikelela kwakhona. Editor Viewer "I-editor iya kubhalwe kuphela iifoto zayo" Ngaphambi kokufunda kwimveliso kunye neempawu ezilungileyo, siphinde iimodeli ezininzi ezisetyenzisiweyo ze-multi-tenancy: Iimodeli eziqhelekileyo ze-multi-tenant I-Multi-tenant authorization ifumaneka kwiintlobo ezininzi zokusetyenziswa. Nazi ezinye izindlela ezininzi zokusetyenziswa kwi-tenant: I-Accounts – Isetyenziswa kwizicelo ze-SaaS zokusetyenziswa, apho zonke abasebenzisi ziquka kwi-akhawunti eyahlukileyo (isib. Google Drive, Dropbox). I-Organizations - I-Common in Business Applications, apho inkampani (i-Organization) ine-user ezininzi kunye neendaba ezahlukeneyo (isib. Slack, Notion). Iingxowa – Iingxowa ezisetyenziswayo, apho abasebenzisi zihlanganiswa ngokusekelwe nezidingo zokuhamba (isib. Iingxowa zeGitHub, iinkalo zokusebenza zeprojekthi). Franchises - Kwiinkqubo apho iimveliso zokusebenza phantsi kwimodeli ye-franchise, yonke i-franchise isebenza ngokufanelekileyo kodwa ibandakanya isakhiwo se-central (isib. i-restaurant management systems). Zonke iimodeli zezi zitholakala kwi-Multi-Tenant authorization ukuze kuqinisekiswe ukujongana okufanayo kunye neengxaki ze-roll-based ngalinye umncedisi. Ukuphendula izinzuzo ze-multi-tenant authorization, siza kuqhagamshelane nokusebenza. Iimeko ezilungileyo yokwenza i-Multi-Tenant Authorization Strategy efanelekileyo ukulawula iingxowa, iziqinisekiso, kunye nokunyuka kwiimeko eziluncedo kwi-multi-tenant applications. Ukulungiselela i-Multi-Tenant Authorization Strategy yakho Ngaphambi kokufumana ukuvelisa nayiphi na ingxaki, kubalulekile ukucwangcisa njani imodeli yakho ye-multi-tenant. Izixhobo kuyinto ukuqinisekisa ukuba zonke abathengi bafumane Kuba abasebenzisi yayo. Nazi iimpawu ezininzi ezibalulekileyo kufuneka uqhagamshelane ukuba usebenzisa imodeli RBAC: separate, manageable access controls I-Users: I-Individual Accessing the System. Umntu omnye angafumaneka kwi-multiple tenants. Abalandeli: Izilinganiso ezahlukileyo apho abasebenzisi abasebenza (Like i-akhawunti, i-organization, okanye i-workspace). I-Roles: Izinga le-permissions ezidlulileyo ziye zithunyelwe kubasebenzisi kwizithuthi. Izixhobo: Iimpawu (isib. iifoto, iidokhumenti) eziqhagamshelane nabasebenzisi, eziqhagamshelane yi-permissions. Iingcebiso: Iingcebiso ezijongene iingcebiso ezidlulileyo ezidlulileyo ezidlulileyo kwi-Roles. Ukusetyenziswa ngexesha elandelayo, unako ukwakha a inkqubo ye-authorization eyenziwe ngexabiso lomsebenzisi bakho. flexible and scalable Ukulungiselela izicelo ze-multi-tenant ukususela a inkqubo kufuneka ukuqinisekisa: single user can exist in multiple tenants I-Role Assignments is per tenant - Iimvuzo ye-user kufuneka ifakwe kwi-tenant yayo elifanelekileyo. Izixhobo ziquka kumnandi - Izixhobo ziquka kumnandi eyodwa. Ukuhlolwa kwe-permissions ngokugqithisileyo – Xa umdlali uthetha isicelo, i-system ibonise ubungakanani wayo kwinqanaba kunye ne-proprietary ye-resource. Ukuqhathanisa i-Multi-Tenant Authorization: Ukuqhathanisa i-Schema kwi-Data Iingxaki esebenzayo kwiinkqubo ze-multi-tenant kuyinto ukulawula njani Kwiinkqubo ezivamile, iingxowa kunye neengxowa zihlanganisa ngempumelelo kunye neendatha ze-application. Oku kunokwenza iziphumo xa iingxowa kufuneka ukuguqulwa, njengoko ungenza ukuhlaziywa zombini Yintoni Yintoni. roles and policies role assignment application data Ukuze optimize ukuze scalability: I-Storage i-rolls, i-assignments, kunye ne-polices kwi-system ye-authorization ekhethekileyo (njenge-Permit.io), kwaye i-Data ye-application ifumaneke kwi-logic ye-authorization. Ukunciphisa le nkqubo, unako ukuhlaziywa iirolophu okanye iziqinisekiso ngokugqithisileyo ngaphandle kokuhambisa idatha core okanye ibhodi ye-code ye-application. Ukusebenzisa Umgangatho Olandelayo Wonke - I-DPP (Policy Decision Point) Enye ingqondo ebalulekileyo ekuphuculeni i-multi-tenant authorization isebenzisa a Ukuthatha iingxaki zopolitiki. single source of truth Kwimeko yokubhalisa iinkcukacha zokusetyenziswa kunye neengxaki zokusetyenziswa kwinkcukacha zokusetyenziswa kwinkonzo okanye kwinqanaba lomsebenzisi, i isebenza njenge-central point apho zonke izixazululo ukufikelela zithunyelwe. I-Political Decision Point (iPDP) I-Political Decision Point (iPDP) Benefits of using a PDP: Ukuxhaswa: I-DPP ibonelela ukuba zonke iinkonzo kwi-application zihlanganisa iinkqubo ezininzi ekubeni izixazululo ze-authorization. Ukucaciswa kwePolicy yeDynamic: Ukuguqulwa kwePolicy okanye i-Role Assignments kufuneka ifakwe kuphela kwindawo eyodwa, i-DPP. Le centralization ukunciphisa ukuba kufuneka ifakwe iindawo ezininzi kwi-codebase okanye i-databases yakho. Ukunciphisa i-Risk of Error: Ngokufumaneka kwiphakamiso esisodwa, esekelwe, ukunciphisa ingozi yeengxaki zeengxaki kwiinkonzo ezininzi kunye neengxaki. Ukwandisa i-RBAC nge-Relationship-Based Access Control (i-ReBAC) Nangona inikeza isakhiwo eshushu ye-multi-tenant authorization, kukho iiscenari apho inokukwazi ukunika i-access control ephakeme kakhulu. RBAC Ukulawula ukufikelela kwi-Relationship-Based Access Control (ReBAC) Ukulawula ukufikelela kwi-Relationship-Based Access Control (ReBAC) I-RBAC ibonise iingcebiso ngokuxhomekeke kumadoda eyenziwe kubasebenzisi, kodwa ithatha ngexesha elandelayo ngokufanisa izicelo ezisekelwe ku- inkxaso kunye nabasebenzisi. Oku kubasetyenziswa ngokukodwa kwimeko apho izigulano zihlanganisa indlela izigulano zihlanganiswa okanye zihlanganiswa. ReBAC relationships Umzekelo: A Xa umdlali unayo ukufikelela a , kwaye le ifolda ibandakanya iidokhumenti ezininzi. Nge-RBAC, kufuneka ufakele iingoma ezifana okanye Kwakhona, kunye Uyakwazi ukucacisa oku ngokucacisa: document management system folder Folder Editor Document Viewer ReBAC "Umsebenzisi uyavumelana ukuguqulwa i-document ukuba bafumane i-editor ye-mapping ebonakalayo." "Umsebenzisi uyavumelana ukuguqulwa i-document ukuba bafumane i-editor ye-mapping ebonakalayo." Ngokwenza oku, iingxaki ezininzi zokusetyenziswa kunye ne-context-sensitive ngaphandle kokubili iingxaki kwi-resource ngamnye. : Benefits of ReBAC I-Contextual Permissions: Inikeza ukulawula ukufikelela ngokuxhomekeka kwezilwanyana (isib. Umdlali owenziwe kwiprojekthi, yaye ngoko unokufumana zonke iimveliso ezihambelana). Ukunciphisa i-Role Explosion: Unemfuneko yokwenza i-rolls yeenkcukacha zonke iintlobo ze-user kunye ne-resource, njengoko i-relationships inokufuneka i-access ngokugqithisileyo. Ukwandisa i-RBAC kunye ne-ReBAC, unako ukulawula apho izilwanyana phakathi kwabasebenzisi kunye neengxaki zithintela izigulano. complex access control scenarios Ukusebenza Multi-Tenant Authorization nge Iimveliso Iimveliso inikeza indlela efanelekileyo yokuvelisa i-multi-tenant authorization ngokuvumela ukuba ufumane iingoma, iinkqubo kunye neengoma zokusebenzisa kwiimeko ezahlukeneyo. Permit.io if (user.role == admin && user.tenant == resource.tenant) { return true; } I-Traditional kunye ne-Static if Ukucaciswa kweMulti-tenancy. const permitted = await permit.check(user, "read", { resource: "document", tenant: "default" }); if (permitted) { return true; } Ukukhanyisa permit.check() umsebenzi elawula multi-tenancy RBAC. Nazi ingxelo elikhulu malunga ne-multi-tenant RBAC authorization kungenziwa ku-Permit.io: Define Roles, Resources, and Actions: To get started, first define your resources (e.g., documents, photos, tasks) and the actions that can be performed on them (e.g., create, read, update, delete). Add a (e.g., ) to represent the type of object you want to control access to. new resource blog Specify the resource's , which will be used in your API calls. key Define the users should be able to perform on the resource (e.g., create, read, update, delete). actions The screenshot shows an example where is the resource, and actions are defined for it. blog Define the Access Control Policy: You’ll specify what actions each role can perform on each resource. For example, in the screenshot, roles like , , and are defined, and the policy is set up to specify which actions are permitted for each role. admin public Writer Define the Tenants in the Directory: Each tenant can have its own set of roles, permissions, and policies. To create tenants: Go to the screen and click on . Directory Settings Define the tenants you need (e.g., , , etc.). Tenant 1 Tenant 2 Create Users and Assign Roles: Once the tenants are defined, you can create users and assign them roles specific to each tenant. This ensures that the same user can have different roles in each tenant, depending on what permissions they need. To create a new user: Click in the screen. Add User Directory Assign the user a unique and other user details (e.g., email, first name). key In the section, you can assign the user roles specific to the tenant to which they belong. Permissions Per Tenant For instance, the user could be an in and a in , as shown in the screenshot: Admin Tenant 1 Writer Tenant 2 Ngiya, sinokufumana bonke abasebenzisi bethu kunye neengoma eziquka kwinqanaba ngamnye abalandeli abalandeli: Zonke izinzuzo zokusebenzisa i-Permit.io ye-multi-tenant authorization zihlanganisa: Ukulawulwa kwePolicy yeCentralized: Ukuqhathanisa kunye nokulawula zonke iintlawulo zakho ze-autorization kunye nePolicy ukusuka kwi-platform ye-centralized. Ngokwenza oku, ukunciphisa iintlawulo zePolicy kunye nokuphepha ukuxhaswa okuqhubekayo kwimali yakho. I-Role-Specific Assignment (I-Role Assignment) I-Role Assignment (I-Role Assignment) I-Role Assignment (I-Role Assignment) I-Role Assignment (I-Role Assignment) I-Role Assignment (I-Role Assignment) I-Role Assignment (I-Role Assignment) I-Role Assignment (I-Role Assignment) I-Role Assignment (I-Role Assignment) I-Role Assignment (I-Role Assignment) I-Role Assignment (I-Role Assignment) I-Role Assignment (I-Role Assignment) I-Role Assignment (I-Role Assignment) I- I-Fine-Grained Permissions: Ukusetyenzisa iingcebiso ezininzi kwi-resource ngamnye kunye nokulawula iingcebiso ze-Fine-Grained ezinxulumene ne-attributes okanye i-relationships) ngaphandle kokufuna i-logic eyongezelelweyo ye-custom. Ukusetyenziswa kwe-ReBAC: I-Permit.io ibandakanya i-RBAC ye-traditional kunye ne-ReBAC, okuvumela ukucacisa izigulano ezisekelwe kuphela kwi-rolls ye-username, kodwa nangokuxhomekeke kwi-relationship phakathi kwizilwanyana kunye nama-resources. Oku kubalulekile ngokukodwa xa ufuna izigulano ze-contextual, njenge-akwazi ukufikelela kwizilwanyana ngokufanelekileyo kwi-organisational structure okanye i-hierarchies zayo. Ukubalwa: Multi-Tenant Authorization kunye RBAC Kule nqaku, sincoma ukuba Indlela yokufaka nge inikeza ukulawulwa okufanelekileyo kunye nokunyuka kwizilwanyana abasebenzisi kwiimeko eziluncedo. importance of multi-tenant authorization Role-Based Access Control (RBAC) I-RBAC yokuzonwabisa iingxaki ze-traditional RBAC kwi-multi-tenant applications kunye ne-Multi-Tenant RBAC yokusombulula iinkcukacha ezifana neengxaki ze-static, i-role explosion, kunye ne-fine-grained access control. Nge-multi-tenant authorization, yonke umnqweno unokufumana i-access control yayo yayo yayo, ukunika ukuba abasebenzisi akwazi ukufikelela kuphela kwimeko yayo ziye ziye ziye ziye ziye ziye ziye ziye ziye ziye ziye ziye ziye ziye zibe. Uyakwazi ukuvelisa i-autorization ye-multi-tenant ngexesha elula kakhulu, ngenxa yokulawula kwinkqubo ye-centralized, ukulawula i-role-assignment ye-tenant-specific, i-permissions ye-fine-grained, kunye ne-support ye-Relationship-Based Access Control (ReBAC). Permit.io What’s Next? Khangela i-Documentation ye-Permit.io ukuqala ukuvelisa i-multi-tenant authorization kwi-application yakho. Qhagamshelana neCommunity yePermitt.io ukuxhumana neempawu ezilungileyo kunye nokufumana inkxaso.