I'm designing a repository for multiple tenants. Each tenant (organization) has multiple sub-organizations which have another sub-sub-organizations and so on.
Some of the resources are accessed by leaf sub-organizations only but some of them are shared among whole organization sub-tree.
Good examples are company logo or datasource. A report created in any sub-organization has to be able to access it. I don't know how to design it - suborganizations can't access parent repository items. And I don't want to copy it every tree subnode. I can use public folder, but that's public for all tenants which must be isolated.
Made up example:
Logo path:
Company1\Human_resources\HR_logo.jpg
Report that should access the logo:
Company1\Human_resources\HR_subdivision1\some_report.jrxml
When i log in as HR_subdivision1 user I can't access the logo.
How can I share repository items across multiple suborganizations within one tenant?
Related
We have a system that utilizes different tenants, where users can be part of one or multiple tenants. You can imagine it as one application, where users can switch between the tenants and see assets related to the selected tenantId.
Our exernal KeyCloak adviser proposes to use one realm und reflect different tenants as clients in KeyCloak.
I´ve read on different sources, that it is not adviced to use multi tenancy with one realm, though i am not 100% sure if it applies for our usecase.
Additionaly we will need to have different groups on the same user, depending on the tenantId.
For example a user could have Group A and B on tenant 1 but only Group B on tenant 2. This doesnt seem to be possible out of box with KeyCloak.
Which general approach would you suggest?
I scrolled through the documentation of KeyCloak and also set it on my machine to explore.
I also explored fine-grained permissions however I didn't get much detail in documentation around the n-level of nested hierarchies.
Here https://www.keycloak.org/docs/latest/server_admin/ this talks about limiting an admin user to particular client management, however, I want certain users, within the client, to be able to create accounts but with scopes and attributes limited to what's assigned to themselves.
For an example:
For a client(ERP>Transactions) we want to create an Org(our customer) Admin who in return will create teams and team admins. Team admins shall be able to invite their teammates in there.
Now I just want to know if only Keycloak can be used to make sure a user in one Org shouldn't be able to create a user in some other org, in the same way, a team admin shouldn't be able to onboard/invite a user in some other team.
Because if Keycloak in principle can't handle this, our team will start writing custom logic in our application code base for this.
I am looking for best recommended approach to create / manage users with organization name and id in Keycloak ( through a html form )
I read following documentation but cannot find a straight forward way to manage users there with organization name and Org id.
https://www.keycloak.org/docs/latest/authorization_services/
The approach that i used was using a custom attributes but i am not sure if that is the recommened approach or not.
Step-1, For every user create a custom attribute "OrgId" with value unique to that organization lets say 1.
Step-2, For the Client, that the user belongs to, define a protocol mapper "OrgId"
Step-3, Create a table for Organziation into our system, add an Organization entry there when first user for that organization is created.
Problem i am trying to solve: We need to keep track of various actions that users belongs to an organization is doing, such as we need to keep track which organization bought what type of products from our system
Objective: Allow different clients access to only read/pull from my private repo.
Overview:
Listed are the different options that I am aware of:
I could invite the clients and give them access to the Basic access level but do know what to have to pay for different users just to read/clone from the repo.
I could create a single user with Basic access level and then create git access tokens for them individually. However, I did not see a way to restrict the access tokens to be project/repo specific. Instead, the access tokens create had the same privileges as the created user.
Question: What is the best practice to provide access to an external user to only access the private Azure DevOps repo?
Note: I have seen this link and did not know if there were other options.
To make the user only have read access to all repos in one project:
You may consider making the user a reader instead of contributor or Project Administrators, so the user can have only read access to the repos in one project.
Organization Settings=>Users(General)=>Manage user=> select Project reader.
More details about project readers you can check this document.
To make the user only have read access to one special repos in one project:
We can control related permissions from Project Settings=>Repositories(Repos)=>Version Control Administrators:
Hope all above helps :)
We have a system built on dynamic objects - so there is a metadata table that describes these objects. For example - Organization A can have a Warehouse Object, a Client Object and a Sales Object. Organization B can have a Sales Object and a Clown Object.
Users authenticate to our rest api built on the Yii2 framework. They authenticate using a call to /user/authenticate and then they query for objects using /object/ for list / create and /object// for Read, Update, Delete.
The issue with this is: If a developer is going to integrate into the service, they would need to know all objects that have been defined in their organization including available fields they are able to read/write to. What we would like to do is provide an option to describe our data.
E.g. My initial thought would be to expose something like /object/metadata in which I would respond with a json list of resources that the user is allowed to access e.g. a Warehouse A user would see Warehouse, Client, Sale. Where a Org B user would see Sales, Clown.
I have been asked to take a look at oData as a specification for this but oData seems to define a whole convention of things (url, searching and filtering etc).
Does it make sense to implement part of the oData Spec or use it as a guide and keep our URLs the same?
Is there a part of the oData spec that would lend itself to the describing of a dynamic resource (e.g. if the user uses our system to add a column to the Sales object - the api should reflect that).
Would appreciate any thoughts on how to design / proceed with this requirement.
Thank you!
I created follow solution:
extend dektrium/yii2-rbac, where to assigments add column company
in each module (werhause, invoices,..) created roles objects
roles object has methods: canAssign(), canView(), canRemove() for user administartion
user administration panel collect all roles from all modules (scan as files) and display grouped by modules.
This solution allow to user switching between companies and for users assign different access rights to different companies and control user manager rights assigning rights