Multi-tenant authorizationI-multi-tenancy iyimodeli yokulawula izinqubo abasebenzisi phakathi kwekhompyutha eziningana, amazwe, noma amaqembu. Nge-multi-tenancy, wonke umkhakha (isib. i-akhawunti noma i-organization) isebenza emkhakheni eyahlukile, okhohlisa ukulawula ukufinyelela okuzenzakalelayo okuzenzakalelayo amakhasimende ezithile ngaphakathi kwekhompyutha.
One of the most effective ways to implement multi-tenant authorization is by combining itI-Role-Based Access Control (i-RBAC)I-RBAC inikeza ukulawula ukufinyelela ngokuvumela abasebenzisi izilinganiso ezithile ezivamile ezivela izigululo zabo ngaphakathi kwekhwalithi.
I-Role-Based Access Control (i-RBAC)RBAC kuphela uhlanganyela izinzuzo ezintathu eziyinhloko njengoba izicelo zihlanganisa futhi zihlanganisa izivumelwano ezinzima:
- Ngenxa yokungafani kwama-rolls (akukho iziqu ze-attributes kanye ne-relationships), i-RBAC ingangena ne- granularity.
- I-rolls yayo ye-static ayikho ikhono lokuphumula phakathi kwezindiza.
- Njengoba izicelo zithunyelwe, inani lwezimali ingangena okungagunyaziwe, okuholela ku-”Role Explosion”.
I-Amulti-tenant RBAC modelisixazululo ezisetshenziselwa ukufinyelela kwamakhasimendeper tenantUkukhishwa kwe-Dynamic Role Assignments and Permissions ku-Environments Isilinganiselwe. Ngaphandle kokufakwa umugqa wekhompyutha wekhompyutha wekhompyutha wekhompyutha wekhompyutha wekhompyutha wekhompyutha wekhompyutha wekhompyutha wekhompyutha wekhompyutha.
Here’s a quick example of when this can be useful:
Thola i-SaaS project management platform lapho abasebenzisi angakwazi ukuhambisana nezinhlangano eziningana nezinhlangano eziningana:
I-user ingaba i-admin emzimbeni eyodwa nge-control ephelele, nangokuthi i-editor kuphela emzimbeni eyodwa, efakwe ku-modifying tasks kodwa akukho-managing users.
Thola i-SaaS project management platform lapho abasebenzisi angakwazi ukuhambisana nezinhlangano eziningana nezinhlangano eziningana:
I-User ingaba i-adminisakhiwo esifundeni esifundeni esifundeni, lapho kuphelaeditorOkunye, okungenani ukuguqulwa kwezimfuneko kodwa akukho ukulawula abasebenzisi.
I-RBAC ye-multi-tenant ibonise ukuthi izigidi zithunyelwe emkhakheni olufanelekayo ngaphandle kokuphumelela okungagunyaziwe.
Kule guide, siza kuhlolaimportance of Multi-Tenant AuthorizationUkubonisa ukuthi kungenziwa ngempumelelo ukusetshenziswaPermit.io.
Ngena ngemvumeThola kuhlobisa indlela yokuhlanganisa amapoliti, ukwehlisa ama-rolls ngamakhasimende, kanye nokulawulafine-grained permissions.
Thina siphindeza.
Yini i-Multi-Tenant Authorization kuyinto ebalulekile?
I-Multi-tenant authorization iyisebenzayo izicelo lapho abasebenzisi zihambisana nezimo eziningana eziningana nezinhlelo zayo zokusebenza zokusebenza zokusebenza zokusebenza zokusebenza zokusebenza zokusebenza zokusebenza ze-cloud.
Ukusebenza Izincwajana Ngaphezulu Izilinganiso
Nge-multi-tenancy, wonke abasebenzisi angathola indlela eyakhelwe yokulawula ukufinyelela kwabo ngokuvumelana nomthelela yabo. Njengoba umsebenzisi angathola izigaba ezahlukene kanye nezidingo phakathi kwezithuthi ezahlukene, ukusetshenziswa kwe-multi-tenancy ivumela izigaba ziye zilawulwa futhi zikhuthazwa ngokuzimela.
Ngokwenza lokhu, singasetshenziswe i-multi-tenant authorization ukuvikela izibani ezaziwayo phakathi kwezingqungquthela kanye nokuphucula ukuthi abasebenzisi zine izivumelwano ezifanele ngaphakathi kwezingqungquthela.
Umzekelo: Acloud storage platformlapho wonke amakhasimende (umthengisi) isitoreji idatha sensitive. Kubalulekile ukulawula ukufinyelela okuqinile ukuze abasebenzisi evela kumakhasimende eyodwa awukwazi ukubonisa noma ukuguqulwa idatha evela kumakhasimende eyodwa.
Kodwa ukuthi akuyona kuphela nge-RBAC?
Why Traditional RBAC Ayikho Ukuze Multi-Tenant Authorization
Konke kungatholakala mayelana nomngcele we-RBAC. Uma usebenzise izicelo ekukhiqizeni, i-RBAC ingakwazi ukujabulela okungabizi futhi kubaluleke kakhulu ukuze ku-scale. Thina siphinde ama-aspekti e-multi-tenancy angakwazi ukulawula:
-
Static Roles Don't Scale Across Tenants:
In a traditional RBAC implementation, roles usually apply globally across an application.This means a user assigned an Editor role might have access to edit all resources, even across tenants where they shouldn’t have permissions.
This problem can present itself as simply as:
A project management app where a user is an Editor in one team but should only have Viewer access in another.
Multi-Tenant RBAC allows roles to be scoped per tenant, so a user can be an Editor in one organization and a Viewer in another without unnecessary role duplication. Speaking of role duplication -
-
The Role Explosion Problem
A basic RBAC model can start simple: Admin, Editor, Viewer. As more users and resource types are introduced, a role explosion can occur. If we take our previous example where a single user needs to be an Editor in one team but a Viewer in another, you can easily end up with something like this:
Editor_TeamAEditor_TeamBViewer_TeamAViewer_TeamB- … and so on for every additional team / potential tenant.
This makes the system hard to manage and difficult to update without breaking access rules.
Multi-Tenant RBAC removes the need for tenant-specific roles by dynamically assigning roles within each tenant instead of hardcoding them.
-
Multi-Tenant Authorization Requires Granularity
RBAC is often too restricted when handling permissions at a granular level. It typically lacks built-in mechanisms to define resource-level or conditional access policies.
Think of this policy:
"Editors can only modify their own photos"
How simple is that? The thing is - there’s no way RBAC can support such a policy without implementing additional logic. Especially at scale.
I-project management app lapho umdlali wahlalaEditorin a team kodwa kufuneka kuphelaViewerUkufinyelela ku-Other
"I-editor angakwazi ukuguqulwa kuphela izithombe zayo"
Ngaphambi kokuphumelela ku-implementation kanye ne-best practices, siphinde ezinye amamodeli e-multi-tenancy eyenziwe ngokuvamile:
I-Models ye-Multi-Tenant
I-Multi-tenant authorization isetshenziselwa isicelo ezininzi. Nazi ezinye izindlela ezivamile zokuthengisa zihlanganisa:
- I-Accounts – Isetshenziselwa izicelo ze-SaaS ze-consumer, lapho wonke abasebenzisi ihambisana ne-akhawunti eyodwa (isib. I-Google Drive, i-Dropbox).
- Izinhlelo zokusebenza zokusebenza zebhizinisi, lapho inkampani (i-organisation) ine-user eziningana ne-rolls eziningana (isib. Slack, Notion).
- I-Groups – I-Useful for collaborative environments, lapho abasebenzisi zihlanganiswa ngokuvumelana nezidingo zokuxhumana (isib. I-GitHub teams, i-project workspaces).
- I-Franchise - E-system lapho i-business isebenza ngaphansi kwe-franchise model, wonke i-franchise isebenza ngokuzimela kodwa ivela isakhiwo se-central (isib. I-restaurant management systems).
Zonke lezi zindlela zitholakala nge-Multi-Tenant authorization ukuze kuqinisekiswe ukujabulela okuhle kanye nezidingo ezisekelwe ngamakhasimende ngamakhasimende.
Ukuphathelene nezinzuzo ze-multi-tenant authorization, sicela ukuxhumana nokusebenza.
Best Practices Ukuvumela Multi-Tenant Authorization
Izinhlelo ezisebenzayo zokulawula i-rolls, iziqinisekiso kanye nokushisa phakathi kwezimo ezivamile ezisetshenziselwa izicelo ze-multi-tenant.
Ukulungiselela Strategy yakho Multi-Tenant Authorization
Ngaphambi kokuphumelela ekusebenziseni yini, kubalulekile uklanyisa indlela model yakho multi-tenant izivakashi. Umthamo kuyinto ukuqinisekisa ukuthi wonke umkhakha hasseparate, manageable access controlsUkuze abasebenzisi. Ngiyazi ezinye izindawo eziyinhloko ukuthi kufanele ukulawula uma usebenzisa imodeli RBAC:
- Umsebenzisi: Abantu abalandela uhlelo. Wonke angatholakala abalandeli amaningi.
- Izinkampani: Izinkampani ezahlukile lapho abasebenzisi zokusebenza (Like Account, Organization, noma Workspace).
- I-Roles: Izinga le-permissions ezidlulileyo eziholwe kubasebenzisi ku-in-in-a tenant.
- Izinsiza: Izinto (isib. Izithombe, izidakamizwa) okuyinto abasebenzisi zihlanganisa, ekulawulwe ngokuzimela.
- Imininingwane: Izinsizakalo ezivumelanisa izindlela ezivumelanayo ezivumelanayo ezivumelanayo ezivumelanayo.
Ngokuhambisana nezimo ezivamile, ungakwazi ukwakha aflexible and scalableinkqubo yokubhalisa esilinganiselwe nezidingo zakho zokusebenza.
Ukulungiselela izicelo ze-multi-tenant
kusukela asingle user can exist in multiple tenants, uhlelo kufuneka ukuqinisekisa:
- I-Role Assignments is per tenant - Izinzuzo ze-user kufanele zihlanganiswe ku-tenant yayo eyodwa.
- Izinsiza zihlanganiswa nabathengisi - Izinsiza kufanele ibekwe nabathengisi elilodwa.
- Imininingwane zihlanganiswa ngokushesha - Uma umdlali uthatha isicelo, inkqubo ukulawula ubudlelwane wama-in-in-in-in-in-in-in-in-in-in-in.
Ukusebenza kwe-Multi-Tenant Authorization: Ukuqhathanisa i-Schema kusuka ku-Data
Umthamo we-multi-tenant systems kuyinto ukulawula kanjaniroles and policiesNgezinhlelo ezivamile, izilimi nezilimi zihlanganiswe ngokunambitheka nge-application data. Lokhu kungenziwa izinzuzo lapho izilimi kufanele ukuguqulwa, njengoba ungathemba izilimi ezimbinirole assignmentNgiyaapplication dataYini?
Ukuze optimize ukuze scalability:
- I-Storage Roles, Assignments, and Policies ku-Dedicated Authorization System (isib. I-Permit.io), futhi ivimbele idatha ye-application ngaphandle kwe-Authorization Logic.
- Ukulungiselela okuvumela ukuhlaziywa kwama-rolls noma iziqinisekiso ngokushesha ngaphandle kokusebenzisa idatha esisodwa noma isisekelo se-code ye-application.
Use One Source of Truth - I-DPP (I-Policy Decision Point)
One of the critical concepts in optimizing multi-tenant authorization is usebenzisa asingle source of truthUkuthatha izixazululo ze-policy.
Ngaphandle kokuthunyelwe ulwazi lomsebenzisi kanye nezinsizakalo zokufinyelela ku-service noma database ye-user,Policy Decision Point (PDP)isebenza njenge-central point lapho zonke izixazululo zokusebenza ukufinyelela.
I-Political Decision Point (i-PDP)
Benefits of using a PDP:
- Ikhono: I-DPP ibonise ukuthi zonke izinsizakalo ezivela ku-application ku-reference ku-sets esifanayo se-rules lapho ukuthatha imibuzo yokubhalisa.
- Ukubuyekezwa kwe-Policy ye-Dynamic: Izinguquko ze-policy noma ama-roll assignments ziye kubalulekile ukuhlaziywa kwindawo eyodwa kuphela, i-DPP. Lokhu ukuhlanganiswa ukunciphisa ukwelashwa kwezindawo eziningi ku-codebase noma ama-databases yakho.
- Ukunciphisa Umthombo we-Error: Ngokuvumelana ne-one-point, i-decision center, ungakwazi ukunciphisa ingozi ye-inconsistency ye-permissions phakathi kwamahhala nama-applications.
Ukwandisa i-RBAC nge-Relationship-Based Access Control (i-ReBAC)
NokhoRBACinikeza isisekelo esiyingqayizivele sokubuyiselwa ama-multi-tenant authorization, kukhona izigaba laphoUkulawula ukufinyelela ku-Relationship-Based Access (ReBAC)inokukwazi ukunikezela ukufinyelela okungeziwe.
Ukulawula ukufinyelela ku-Relationship-Based Access (ReBAC)I-RBAC ibonise izinqubo ngokuvumelana nezinqubo ezivumelanayo abasebenzisi, kodwaReBACisinyathelo esilandelayo ngokuvamile ngokuvumelana ne-permissionsrelationshipsUkusebenza okuqukethwe kwe-resources ne-users. Lokhu kubalulekile ikakhulukazi lapho izicelo zihlanganisa ukuthi izici zihlanganisa noma zihlanganisa.
Ngokwesibonelo, adocument management systemUma umsebenzisi unayo ukufinyelela afolder, futhi le ifolda iqukethe izidakamizwa eziningana. Nge RBAC, kufanele ufake izilimi efanaFolder EditornomaDocument ViewerNokho, ngeReBAC, ungahambisa lokhu ngokubizwa:
"Umsebenzisi akwazi ukuguqulwa i-document uma iyahambisana ne-editor ye-mapping eyenziwa ku-document."
"Umsebenzisi akwazi ukuguqulwa i-document uma iyahambisana ne-editor ye-mapping eyenziwa ku-document."
Ngokwenza lokhu, kungenziwa izicelo ezingenalutho ezingenalutho ezingenalutho ezingenalutho ezingenalutho ezingenalutho ezingenalutho ezingenalutho ezingenalutho ezingenalutho ezingenalutho ezingenalutho ezingenalutho ezingenalutho ezingenalutho ezingenalutho.
Benefits of ReBAC:
- I-Contextual Permissions: Inikeza ukulawula ukufinyelela ngokuvumelana nezilinganiso zokusebenza (isib. Umdlali owenziwe yi-editor ye-project, futhi ngakho-ke akwazi ukufinyelela zonke izivakashi ezihlobene).
- Ukunciphisa I-Role Explosion: Unemfuneko yokwenza imfuneko kuzo zonke izakhiwo ze-user kanye ne-resource type, njengoba izilinganiso zokusebenza ukucacisa ukufinyelela ngokushesha.
Ukwandisa i-RBAC nge-ReBAC, ungakwazi ukulawulacomplex access control scenarioslapho izilinganiso phakathi kwamakhasimende nama-resources zihlanganisa izivumelwano.
Ukukhiqizwa kwe-Multi-Tenant AuthorizationNgena ngemvume
Ngena ngemvumePermit.ioinikeza indlela elula yokusebenza kwe-multi-tenant authorization ngokuvumela ukucacisa izigaba, izinsizakalo kanye nezinsizakalo zokufinyelela phakathi kwezimo ezihlukahlukene.
if (user.role == admin && user.tenant == resource.tenant) {
return true;
}
I-Traditional, i-Static if Ukubonisa indlela multi-tenancy.
const permitted = await permit.check(user, "read", {
resource: "document",
tenant: "default"
});
if (permitted) {
return true;
}
Ukukhanyisa permit.check() isicelo esifundeni esifundeni multi-tenancy RBAC.
Ngiyaxolisa kanjani i-multi-tenant RBAC authorization ingasetshenziswa ku-Permit.io:
- Define Roles, Resources, and Actions: To get started, first define your resources (e.g., documents, photos, tasks) and the actions that can be performed on them (e.g., create, read, update, delete).
- Add a new resource (e.g.,
blog) to represent the type of object you want to control access to. - Specify the resource's key, which will be used in your API calls.
- Define the actions users should be able to perform on the resource (e.g., create, read, update, delete).
- The screenshot shows an example where
blogis the resource, and actions are defined for it.
- Add a new resource (e.g.,
-
Define the Access Control Policy:
You’ll specify what actions each role can perform on each resource. For example, in the screenshot, roles like admin, public, and Writer are defined, and the policy is set up to specify which actions are permitted for each role.
-
Define the Tenants in the Directory:
Each tenant can have its own set of roles, permissions, and policies.
To create tenants:
- Go to the Directory screen and click on Settings.
- Define the tenants you need (e.g., Tenant 1, Tenant 2, etc.).
Create Users and Assign Roles:
Once the tenants are defined, you can create users and assign them roles specific to each tenant. This ensures that the same user can have different roles in each tenant, depending on what permissions they need.
To create a new user:
-
Click Add User in the Directory screen.
-
Assign the user a unique key and other user details (e.g., email, first name).
-
In the Permissions Per Tenant section, you can assign the user roles specific to the tenant to which they belong.
For instance, the user could be an Admin in Tenant 1 and a Writer in Tenant 2, as shown in the screenshot:
Ngiyazi, singakwazi ukubona bonke abasebenzisi bethu futhi izilinganiso ziye zihlanganisa ngamunye abalandeli abalandeli abalandeli:
Izinzuzo ezithile ze-Using Permit.io for multi-tenant authorization zihlanganisa:
- I-Centralized Policy Management: Ukuhlola futhi ukulawula zonke izicelo zakho ze-authorization kanye ne-policy kusuka ku-centralized platform. Lokhu kuhlinzeka imibuzo ye-policy kanye nokuphathwa okuqhubekayo kumakhasimende akho.
- I-Role Assignment-Specific Role Assignment: Ukulungiselela futhi ukulawula i-rolls ngamakhasimende ngamakhasimende ngamakhasimende ngamakhasimende ngamakhasimende ngamakhasimende ngamakhasimende ngamakhasimende ngamakhasimende ngamakhasimende ngamakhasimende ngamakhasimende (isib. I-Admin kumakhasimende ngamakhasimende ngamakhasimende ngamakhasimende, i-Viewer ngamakhasimende).
- I-Fine-Grained Permissions: Ukusebenza ama-permissions ezithile kumadivayisi ngamunye kanye nokulawula ama-permissions amancane amancane amancane (ngokusekelwe kuma-attributes noma ama-relationships) ngaphandle kokubili okwengeziwe kwe-custom logic.
- Ukusekela i-ReBAC: I-Permit.io ibandakanya imodeli ye-RBAC ezivamile ne-ReBAC, okuvumela ukucacisa izicelo ezisekelwe kuphela izilimi ze-username, kodwa nangokuxhumana phakathi kwama-username kanye nama-resources. Lokhu kubalulekile ikakhulukazi uma unemibuzo e-contextual, njenge-akwazi ukufinyelela kuma-resources ngokuvumelana nesakhiwo se-organizational noma i-hierarchy.
Ukubalwa: Multi-Tenant Ukuvumelana nge-RBAC
Kule blog, sincoma ukuthiimportance of multi-tenant authorizationIndlela yokuxhumanaRole-Based Access Control (RBAC)inikeza ukulawula okufanayo nokuphumelela izinqubo abasebenzisi phakathi kwezimo ezivamile.
Thola izivakashi ze-RBAC ezivamile ezisebenzayo kwezicelo ze-multi-tenant futhi indlela ye-Multi-Tenant RBAC isixazululo izimo ezifana nezinqubo ze-static roles, i-role explosion, ne-fine-grain access control.
Ngokuvumelana ne-multi-tenant authorization, ngamunye umkhakha angakwazi ukulinganisa ukufinyelela yayo elilodwa, ukuqinisekisa ukuthi abasebenzisi akwazi ukufinyelela kuphela ku-imeyili yayo ku-inthanethi zabo ezithile.
Permit.ioinikeza ukufakwa kwe-multi-tenant authorization ngempumelelo, ngokuvumelana nokulawulwa kwebhizinisi, ukulayishwa kwama-role eyenziwe ngempumelelo, ama-permissions eyenziwe ngempumelelo, kanye nokuthuthukiswa kwe-Relationship-Based Access Control (ReBAC).
What’s Next?
- Ukuhlola i-Documentation ye-Permit.io ukuze uqala ukuvelisa i-multi-tenant authorization ku-application yakho.
- Qhagamshelana neCommunity ye-Permit.io ukuxhumana nezimo ezinhle kanye nokufumana ukweseka.
