I-multi-tenancy iyimodeli yokulawula izinqubo abasebenzisi phakathi kwekhompyutha eziningana, amazwe, noma amaqembu. Nge-multi-tenancy, wonke umkhakha (isib. i-akhawunti noma i-organization) isebenza emkhakheni eyahlukile, okhohlisa ukulawula ukufinyelela okuzenzakalelayo okuzenzakalelayo amakhasimende ezithile ngaphakathi kwekhompyutha. Multi-tenant authorization One of the most effective ways to implement multi-tenant authorization is by combining it I-RBAC inikeza ukulawula ukufinyelela ngokuvumela abasebenzisi izilinganiso ezithile ezivamile ezivela izigululo zabo ngaphakathi kwekhwalithi. I-Role-Based Access Control (i-RBAC) I-Role-Based Access Control (i-RBAC) RBAC kuphela uhlanganyela izinzuzo ezintathu eziyinhloko njengoba izicelo zihlanganisa futhi zihlanganisa izivumelwano ezinzima: Ngenxa yokungafani kwama-rolls (akukho iziqu ze-attributes kanye ne-relationships), i-RBAC ingangena ne- granularity. I-rolls yayo ye-static ayikho ikhono lokuphumula phakathi kwezindiza. Njengoba izicelo zithunyelwe, inani lwezimali ingangena okungagunyaziwe, okuholela ku-”Role Explosion”. I-A isixazululo ezisetshenziselwa ukufinyelela kwamakhasimende Ukukhishwa kwe-Dynamic Role Assignments and Permissions ku-Environments Isilinganiselwe. Ngaphandle kokufakwa umugqa wekhompyutha wekhompyutha wekhompyutha wekhompyutha wekhompyutha wekhompyutha wekhompyutha wekhompyutha wekhompyutha wekhompyutha wekhompyutha. multi-tenant RBAC model per tenant Here’s a quick example of when this can be useful: Thola i-SaaS project management platform lapho abasebenzisi angakwazi ukuhambisana nezinhlangano eziningana nezinhlangano eziningana: I-user ingaba i-admin emzimbeni eyodwa nge-control ephelele, nangokuthi i-editor kuphela emzimbeni eyodwa, efakwe ku-modifying tasks kodwa akukho-managing users. Thola i-SaaS project management platform lapho abasebenzisi angakwazi ukuhambisana nezinhlangano eziningana nezinhlangano eziningana: I-User ingaba i- isakhiwo esifundeni esifundeni esifundeni, lapho kuphela Okunye, okungenani ukuguqulwa kwezimfuneko kodwa akukho ukulawula abasebenzisi. admin editor I-RBAC ye-multi-tenant ibonise ukuthi izigidi zithunyelwe emkhakheni olufanelekayo ngaphandle kokuphumelela okungagunyaziwe. Kule guide, siza kuhlola Ukubonisa ukuthi kungenziwa ngempumelelo ukusetshenziswa . importance of Multi-Tenant Authorization Permit.io Ngena ngemvume Thola kuhlobisa indlela yokuhlanganisa amapoliti, ukwehlisa ama-rolls ngamakhasimende, kanye nokulawula . fine-grained permissions Thina siphindeza. Yini i-Multi-Tenant Authorization kuyinto ebalulekile? I-Multi-tenant authorization iyisebenzayo izicelo lapho abasebenzisi zihambisana nezimo eziningana eziningana nezinhlelo zayo zokusebenza zokusebenza zokusebenza zokusebenza zokusebenza zokusebenza zokusebenza zokusebenza ze-cloud. Ukusebenza Izincwajana Ngaphezulu Izilinganiso Nge-multi-tenancy, wonke abasebenzisi angathola indlela eyakhelwe yokulawula ukufinyelela kwabo ngokuvumelana nomthelela yabo. Njengoba umsebenzisi angathola izigaba ezahlukene kanye nezidingo phakathi kwezithuthi ezahlukene, ukusetshenziswa kwe-multi-tenancy ivumela izigaba ziye zilawulwa futhi zikhuthazwa ngokuzimela. Ngokwenza lokhu, singasetshenziswe i-multi-tenant authorization ukuvikela izibani ezaziwayo phakathi kwezingqungquthela kanye nokuphucula ukuthi abasebenzisi zine izivumelwano ezifanele ngaphakathi kwezingqungquthela. Umzekelo: A lapho wonke amakhasimende (umthengisi) isitoreji idatha sensitive. Kubalulekile ukulawula ukufinyelela okuqinile ukuze abasebenzisi evela kumakhasimende eyodwa awukwazi ukubonisa noma ukuguqulwa idatha evela kumakhasimende eyodwa. cloud storage platform Kodwa ukuthi akuyona kuphela nge-RBAC? Why Traditional RBAC Ayikho Ukuze Multi-Tenant Authorization Konke kungatholakala mayelana nomngcele we-RBAC. Uma usebenzise izicelo ekukhiqizeni, i-RBAC ingakwazi ukujabulela okungabizi futhi kubaluleke kakhulu ukuze ku-scale. Thina siphinde ama-aspekti e-multi-tenancy angakwazi ukulawula: Static Roles Don't Scale Across Tenants: In a traditional RBAC implementation, across an application.This means a user assigned an role might have access to edit all resources, even across tenants where they shouldn’t have permissions. roles usually apply globally Editor This problem can present itself as simply as: A project management app where a user is an in one team but should only have access in another. Editor Viewer Multi-Tenant RBAC allows roles to be scoped per tenant, so a user can be an Editor in one organization and a Viewer in another without unnecessary role duplication. Speaking of role duplication - The Role Explosion Problem A basic RBAC model can start simple: . As more users and resource types are introduced, a can occur. If we take our previous example where a single user needs to be an Editor in one team but a Viewer in another, you can easily end up with something like this: Admin, Editor, Viewer role explosion Editor_TeamA Editor_TeamB Viewer_TeamA Viewer_TeamB … and so on for every additional team / potential tenant. This makes the system hard to manage and difficult to update without breaking access rules. by dynamically assigning roles within each tenant instead of hardcoding them. Multi-Tenant RBAC removes the need for tenant-specific roles Multi-Tenant Authorization Requires Granularity RBAC is often too restricted when handling permissions at a granular level. It typically lacks built-in mechanisms to define resource-level or conditional access policies. Think of this policy: "Editors can only modify their own photos" How simple is that? The thing is - there’s no way RBAC can support such a policy without implementing additional logic. Especially at scale. I-project management app lapho umdlali wahlala in a team kodwa kufuneka kuphela Ukufinyelela ku-Other Editor Viewer "I-editor angakwazi ukuguqulwa kuphela izithombe zayo" Ngaphambi kokuphumelela ku-implementation kanye ne-best practices, siphinde ezinye amamodeli e-multi-tenancy eyenziwe ngokuvamile: I-Models ye-Multi-Tenant I-Multi-tenant authorization isetshenziselwa isicelo ezininzi. Nazi ezinye izindlela ezivamile zokuthengisa zihlanganisa: I-Accounts – Isetshenziselwa izicelo ze-SaaS ze-consumer, lapho wonke abasebenzisi ihambisana ne-akhawunti eyodwa (isib. I-Google Drive, i-Dropbox). Izinhlelo zokusebenza zokusebenza zebhizinisi, lapho inkampani (i-organisation) ine-user eziningana ne-rolls eziningana (isib. Slack, Notion). I-Groups – I-Useful for collaborative environments, lapho abasebenzisi zihlanganiswa ngokuvumelana nezidingo zokuxhumana (isib. I-GitHub teams, i-project workspaces). I-Franchise - E-system lapho i-business isebenza ngaphansi kwe-franchise model, wonke i-franchise isebenza ngokuzimela kodwa ivela isakhiwo se-central (isib. I-restaurant management systems). Zonke lezi zindlela zitholakala nge-Multi-Tenant authorization ukuze kuqinisekiswe ukujabulela okuhle kanye nezidingo ezisekelwe ngamakhasimende ngamakhasimende. Ukuphathelene nezinzuzo ze-multi-tenant authorization, sicela ukuxhumana nokusebenza. Best Practices Ukuvumela Multi-Tenant Authorization Izinhlelo ezisebenzayo zokulawula i-rolls, iziqinisekiso kanye nokushisa phakathi kwezimo ezivamile ezisetshenziselwa izicelo ze-multi-tenant. Ukulungiselela Strategy yakho Multi-Tenant Authorization Ngaphambi kokuphumelela ekusebenziseni yini, kubalulekile uklanyisa indlela model yakho multi-tenant izivakashi. Umthamo kuyinto ukuqinisekisa ukuthi wonke umkhakha has Ukuze abasebenzisi. Ngiyazi ezinye izindawo eziyinhloko ukuthi kufanele ukulawula uma usebenzisa imodeli RBAC: separate, manageable access controls Umsebenzisi: Abantu abalandela uhlelo. Wonke angatholakala abalandeli amaningi. Izinkampani: Izinkampani ezahlukile lapho abasebenzisi zokusebenza (Like Account, Organization, noma Workspace). I-Roles: Izinga le-permissions ezidlulileyo eziholwe kubasebenzisi ku-in-in-a tenant. Izinsiza: Izinto (isib. Izithombe, izidakamizwa) okuyinto abasebenzisi zihlanganisa, ekulawulwe ngokuzimela. Imininingwane: Izinsizakalo ezivumelanisa izindlela ezivumelanayo ezivumelanayo ezivumelanayo ezivumelanayo. Ngokuhambisana nezimo ezivamile, ungakwazi ukwakha a inkqubo yokubhalisa esilinganiselwe nezidingo zakho zokusebenza. flexible and scalable Ukulungiselela izicelo ze-multi-tenant kusukela a , uhlelo kufuneka ukuqinisekisa: single user can exist in multiple tenants I-Role Assignments is per tenant - Izinzuzo ze-user kufanele zihlanganiswe ku-tenant yayo eyodwa. Izinsiza zihlanganiswa nabathengisi - Izinsiza kufanele ibekwe nabathengisi elilodwa. Imininingwane zihlanganiswa ngokushesha - Uma umdlali uthatha isicelo, inkqubo ukulawula ubudlelwane wama-in-in-in-in-in-in-in-in-in-in-in. Ukusebenza kwe-Multi-Tenant Authorization: Ukuqhathanisa i-Schema kusuka ku-Data Umthamo we-multi-tenant systems kuyinto ukulawula kanjani Ngezinhlelo ezivamile, izilimi nezilimi zihlanganiswe ngokunambitheka nge-application data. Lokhu kungenziwa izinzuzo lapho izilimi kufanele ukuguqulwa, njengoba ungathemba izilimi ezimbini Ngiya Yini? roles and policies role assignment application data Ukuze optimize ukuze scalability: I-Storage Roles, Assignments, and Policies ku-Dedicated Authorization System (isib. I-Permit.io), futhi ivimbele idatha ye-application ngaphandle kwe-Authorization Logic. Ukulungiselela okuvumela ukuhlaziywa kwama-rolls noma iziqinisekiso ngokushesha ngaphandle kokusebenzisa idatha esisodwa noma isisekelo se-code ye-application. Use One Source of Truth - I-DPP (I-Policy Decision Point) One of the critical concepts in optimizing multi-tenant authorization is usebenzisa a Ukuthatha izixazululo ze-policy. single source of truth Ngaphandle kokuthunyelwe ulwazi lomsebenzisi kanye nezinsizakalo zokufinyelela ku-service noma database ye-user, isebenza njenge-central point lapho zonke izixazululo zokusebenza ukufinyelela. Policy Decision Point (PDP) I-Political Decision Point (i-PDP) Benefits of using a PDP: Ikhono: I-DPP ibonise ukuthi zonke izinsizakalo ezivela ku-application ku-reference ku-sets esifanayo se-rules lapho ukuthatha imibuzo yokubhalisa. Ukubuyekezwa kwe-Policy ye-Dynamic: Izinguquko ze-policy noma ama-roll assignments ziye kubalulekile ukuhlaziywa kwindawo eyodwa kuphela, i-DPP. Lokhu ukuhlanganiswa ukunciphisa ukwelashwa kwezindawo eziningi ku-codebase noma ama-databases yakho. Ukunciphisa Umthombo we-Error: Ngokuvumelana ne-one-point, i-decision center, ungakwazi ukunciphisa ingozi ye-inconsistency ye-permissions phakathi kwamahhala nama-applications. Ukwandisa i-RBAC nge-Relationship-Based Access Control (i-ReBAC) Nokho inikeza isisekelo esiyingqayizivele sokubuyiselwa ama-multi-tenant authorization, kukhona izigaba lapho inokukwazi ukunikezela ukufinyelela okungeziwe. RBAC Ukulawula ukufinyelela ku-Relationship-Based Access (ReBAC) Ukulawula ukufinyelela ku-Relationship-Based Access (ReBAC) I-RBAC ibonise izinqubo ngokuvumelana nezinqubo ezivumelanayo abasebenzisi, kodwa isinyathelo esilandelayo ngokuvamile ngokuvumelana ne-permissions Ukusebenza okuqukethwe kwe-resources ne-users. Lokhu kubalulekile ikakhulukazi lapho izicelo zihlanganisa ukuthi izici zihlanganisa noma zihlanganisa. ReBAC relationships Ngokwesibonelo, a Uma umsebenzisi unayo ukufinyelela a , futhi le ifolda iqukethe izidakamizwa eziningana. Nge RBAC, kufanele ufake izilimi efana noma Nokho, nge , ungahambisa lokhu ngokubizwa: document management system folder Folder Editor Document Viewer ReBAC "Umsebenzisi akwazi ukuguqulwa i-document uma iyahambisana ne-editor ye-mapping eyenziwa ku-document." "Umsebenzisi akwazi ukuguqulwa i-document uma iyahambisana ne-editor ye-mapping eyenziwa ku-document." Ngokwenza lokhu, kungenziwa izicelo ezingenalutho ezingenalutho ezingenalutho ezingenalutho ezingenalutho ezingenalutho ezingenalutho ezingenalutho ezingenalutho ezingenalutho ezingenalutho ezingenalutho ezingenalutho ezingenalutho ezingenalutho ezingenalutho. : Benefits of ReBAC I-Contextual Permissions: Inikeza ukulawula ukufinyelela ngokuvumelana nezilinganiso zokusebenza (isib. Umdlali owenziwe yi-editor ye-project, futhi ngakho-ke akwazi ukufinyelela zonke izivakashi ezihlobene). Ukunciphisa I-Role Explosion: Unemfuneko yokwenza imfuneko kuzo zonke izakhiwo ze-user kanye ne-resource type, njengoba izilinganiso zokusebenza ukucacisa ukufinyelela ngokushesha. Ukwandisa i-RBAC nge-ReBAC, ungakwazi ukulawula lapho izilinganiso phakathi kwamakhasimende nama-resources zihlanganisa izivumelwano. complex access control scenarios Ukukhiqizwa kwe-Multi-Tenant Authorization Ngena ngemvume Ngena ngemvume inikeza indlela elula yokusebenza kwe-multi-tenant authorization ngokuvumela ukucacisa izigaba, izinsizakalo kanye nezinsizakalo zokufinyelela phakathi kwezimo ezihlukahlukene. Permit.io if (user.role == admin && user.tenant == resource.tenant) { return true; } I-Traditional, i-Static if Ukubonisa indlela multi-tenancy. const permitted = await permit.check(user, "read", { resource: "document", tenant: "default" }); if (permitted) { return true; } Ukukhanyisa permit.check() isicelo esifundeni esifundeni multi-tenancy RBAC. Ngiyaxolisa kanjani i-multi-tenant RBAC authorization ingasetshenziswa ku-Permit.io: Define Roles, Resources, and Actions: To get started, first define your resources (e.g., documents, photos, tasks) and the actions that can be performed on them (e.g., create, read, update, delete). Add a (e.g., ) to represent the type of object you want to control access to. new resource blog Specify the resource's , which will be used in your API calls. key Define the users should be able to perform on the resource (e.g., create, read, update, delete). actions The screenshot shows an example where is the resource, and actions are defined for it. blog Define the Access Control Policy: You’ll specify what actions each role can perform on each resource. For example, in the screenshot, roles like , , and are defined, and the policy is set up to specify which actions are permitted for each role. admin public Writer Define the Tenants in the Directory: Each tenant can have its own set of roles, permissions, and policies. To create tenants: Go to the screen and click on . Directory Settings Define the tenants you need (e.g., , , etc.). Tenant 1 Tenant 2 Create Users and Assign Roles: Once the tenants are defined, you can create users and assign them roles specific to each tenant. This ensures that the same user can have different roles in each tenant, depending on what permissions they need. To create a new user: Click in the screen. Add User Directory Assign the user a unique and other user details (e.g., email, first name). key In the section, you can assign the user roles specific to the tenant to which they belong. Permissions Per Tenant For instance, the user could be an in and a in , as shown in the screenshot: Admin Tenant 1 Writer Tenant 2 Ngiyazi, singakwazi ukubona bonke abasebenzisi bethu futhi izilinganiso ziye zihlanganisa ngamunye abalandeli abalandeli abalandeli: Izinzuzo ezithile ze-Using Permit.io for multi-tenant authorization zihlanganisa: I-Centralized Policy Management: Ukuhlola futhi ukulawula zonke izicelo zakho ze-authorization kanye ne-policy kusuka ku-centralized platform. Lokhu kuhlinzeka imibuzo ye-policy kanye nokuphathwa okuqhubekayo kumakhasimende akho. I-Role Assignment-Specific Role Assignment: Ukulungiselela futhi ukulawula i-rolls ngamakhasimende ngamakhasimende ngamakhasimende ngamakhasimende ngamakhasimende ngamakhasimende ngamakhasimende ngamakhasimende ngamakhasimende ngamakhasimende ngamakhasimende ngamakhasimende (isib. I-Admin kumakhasimende ngamakhasimende ngamakhasimende ngamakhasimende, i-Viewer ngamakhasimende). I-Fine-Grained Permissions: Ukusebenza ama-permissions ezithile kumadivayisi ngamunye kanye nokulawula ama-permissions amancane amancane amancane (ngokusekelwe kuma-attributes noma ama-relationships) ngaphandle kokubili okwengeziwe kwe-custom logic. Ukusekela i-ReBAC: I-Permit.io ibandakanya imodeli ye-RBAC ezivamile ne-ReBAC, okuvumela ukucacisa izicelo ezisekelwe kuphela izilimi ze-username, kodwa nangokuxhumana phakathi kwama-username kanye nama-resources. Lokhu kubalulekile ikakhulukazi uma unemibuzo e-contextual, njenge-akwazi ukufinyelela kuma-resources ngokuvumelana nesakhiwo se-organizational noma i-hierarchy. Ukubalwa: Multi-Tenant Ukuvumelana nge-RBAC Kule blog, sincoma ukuthi Indlela yokuxhumana inikeza ukulawula okufanayo nokuphumelela izinqubo abasebenzisi phakathi kwezimo ezivamile. importance of multi-tenant authorization Role-Based Access Control (RBAC) Thola izivakashi ze-RBAC ezivamile ezisebenzayo kwezicelo ze-multi-tenant futhi indlela ye-Multi-Tenant RBAC isixazululo izimo ezifana nezinqubo ze-static roles, i-role explosion, ne-fine-grain access control. Ngokuvumelana ne-multi-tenant authorization, ngamunye umkhakha angakwazi ukulinganisa ukufinyelela yayo elilodwa, ukuqinisekisa ukuthi abasebenzisi akwazi ukufinyelela kuphela ku-imeyili yayo ku-inthanethi zabo ezithile. inikeza ukufakwa kwe-multi-tenant authorization ngempumelelo, ngokuvumelana nokulawulwa kwebhizinisi, ukulayishwa kwama-role eyenziwe ngempumelelo, ama-permissions eyenziwe ngempumelelo, kanye nokuthuthukiswa kwe-Relationship-Based Access Control (ReBAC). Permit.io What’s Next? Ukuhlola i-Documentation ye-Permit.io ukuze uqala ukuvelisa i-multi-tenant authorization ku-application yakho. Qhagamshelana neCommunity ye-Permit.io ukuxhumana nezimo ezinhle kanye nokufumana ukweseka.