All tenants can use accounts info.(Head office is a tenant)
All accounts can use branch office data
Branch office admin only use self data
Head office can use all branch office's data
In AspNet Boilerplate, tenants are not hierarchical. Theoretically, a tenant's data must be isolated from another tenant's data. If your "tenants" share data with each other so it shouldn't be the tenant. You can use Organization-Units for this purpose. Organization units can be used to hierarchically group users and entities.
Related
We have a system that utilizes different tenants, where users can be part of one or multiple tenants. You can imagine it as one application, where users can switch between the tenants and see assets related to the selected tenantId.
Our exernal KeyCloak adviser proposes to use one realm und reflect different tenants as clients in KeyCloak.
I´ve read on different sources, that it is not adviced to use multi tenancy with one realm, though i am not 100% sure if it applies for our usecase.
Additionaly we will need to have different groups on the same user, depending on the tenantId.
For example a user could have Group A and B on tenant 1 but only Group B on tenant 2. This doesnt seem to be possible out of box with KeyCloak.
Which general approach would you suggest?
I was "david.corbin#companyA.com" now I am "boogie.woogie#companyB.com". Both are AAD backed identities.
The goal is to change how I authenticate to Azure DevOps so that I have one consistent history without "fracturing" or "historical user".
I have tried (in a playpen environment) various items, but I always end up with there being two distinct identities.
In the past during migrations, Microsoft Support was able to alter identities, but I am looking for a solution that does not involve opening a bunch of support tickets.
Azure DevOps Change User Identity
I am afraid there is no such solution that you could resolve this issue by yourself.
If you have already add the new account boogie.xxxx#companyB.com in the organization, we could not map that old david.xxxx#companyA.com to their Azure AD identities.
That is because it will be treated as a new account and assigned a unique VSID when you add the account account boogie.xxxx#companyB.com to organization.
That is also the reason why you always end up with there being two distinct identities.
To resolve this issue, we need to contact the support team to map two account as one in the backend. You could submit the ticket on the Developer Community if you do not want open a support ticket. Or you could create a technical support ticket from Azure Portal if you have Azure support plans.
I want to design a multi-tenant SAAS database with PostgreSQL and RLS. I want to be able to host all users and the tenants in the same database and isolate their data with RLS.
In my use case it makes sense for tenants to share a certain user data to avoid duplication of those data. The tenants will request a permission from users and these permissions are stored in a permissions table and these permissions are used to control the RLS.
However, I need tenants to have user data that's unique to their organization such as join date or other data. What I need to know is how I can design the database to hold all the organization specific data. I have thought of using JSONB to store this data like
user_data_for_tenant
id
user_id
tenant_id
data JSONB
this data is decided by the tenant from the front-end.
Is this okay? How better can I design the database to fit this use case?
I will be using Supabase for DB, Auth, Storage and other uses so the RLS can control access.
I would like to suggest the following design for the data management for permissions (AKA User Entity Permissions)
We can have a table that has the tenant users that are mapped to each entity in your SaaS Application. There will be permissions like Permission-C meaning Permission Create, so on for update, delete and read.
The tenant admin's can configure the access level for each of the users in their tenant based on the roles and we can internally use these roles to manage the policies in the Postgresql so that the queries are working fine based on the tenant level restrictions.
In case of having record level security, we can have all the ID's that can be accessed like below against each of the CRUD operation in the database.
The problem with the below approach is that as the data grows should the column grow, or you have a flat mapping of the IDS and the permissions. There are options to finetune this if the approach is suitable for your requirement.
I would like to register multiple tenants on the same purview account. Is this possible?
No, currently in order to scan another tenant's data source, you need to create a separate Azure Purview account in that tenant.
I am trying to figure out how to model my app.
In the app, users belong to organizations and each org can have multiple users. Also, each org can have their own password policies for it's users, decided by the org admin
What would be a good way to model this in Keycloak?
Thought about creating a new realm via the REST every api time a new org account is created. Each realm maps to an organization.
My client (web app) will have to be shared between the realms.
Does this kind of use case documented anywhere ?
Thanks