We are developing a multitenant application with shared schema for a web application. I would like to know the best practices for designing UI strategies.
We will have different roles for saas owners like Adminsitrators, Helpdesk, Account Manager so The SAAS owner may need to have multiple users who will acess the application and do their job.
HelpDesk: If a tenant put up a ticket, helpdesk team shall be able to view and solve.
Account management: Account Managers may need to access the payment information of the tenants for following up the tenants.
ServiceManagers: To perform maintenance and upgrades etc.
In this case
Do we need to have different UI for "Saas owner" and "Tenants" or is it better to manage it with permissions and roles?
Any best practices?
There are many facets to decide on the mode of delivery
In case you prefer to use Micro FrontEnds, admin and tenant functions can be separate. However, the individual functions like help desk,Accounts management can be a separate micro frontend
There should be options for a tenant to white label the UI (custom logo, custom theme, custom layout (more development effort)) etc.
With or without micro frontends, your UI layer should be working based on the permissions that comes as an aggregation of the user's roles (even across tenants).
The UI always has probes to the API to get the permissions and render the various UI components based on the granted permissions to the user.
We used to build custom UI components like custom grid, custom forms etc so that the permissions could be used to show or hide the various UI elements based on the permissions that a user might posses.
Ex: In the context of a Administrator, I will be able to see all the team members, but in the context of a Service Administrator, I will be able to assign members to various tenant functions like help desk, accounting etc which the Administrator will not be able to perform, but can view the mappings.
Similarly, your business requirements will drive the UI, hence if you follow using the permissions for the UI, it is always very fine-grained and easy to manage than depending upon higher levels of abstraction like Roles.
HTH
Related
we have a big distributed and multitenant system with all sorts of accounts :
- admin and backoffice users account
- customer account
- cashier account (tenant : there is one or many more cashier for each client tenant)
All this account are sharing more or less the same lifecycle (account created, grant on some ressources, deny account, password reminder...)
But they are not used in all applications of the system : some account would be used on specific or just two application for example.
Furthermore our system should have the possibility to have a bridge with a CMS for the customer management, or the backoffice users account could be authorized one day against a ldap...
So the question : we are searching for the best way to model our right and authorization service(s).
One idea is to create one service in order to manage all types of accounts of any kind : that is a SOA way to modularize our system
And one idea is to create different services : perhaps much more a micro-service oriented way of thinking...
What are your opinion ? I am searching some advices and feedback on this two different approach or perhaps an alternative that we habve not thought about...
If you are looking for any open-source solution for your problem, you can have a look into keyclaok.
Keycloak also got place in Thoughtworks Technology RADAR.
It is very promising solution and has LDAP, Multi Tenancy support also. checkout keycloak features.
There is paid solution like ForgeRock is also avaible.
Coming to feedback which you have asked about SOA or microservice way of implementation here (You will get different feedback/advice on this)
It will be better if you have a service to take care of access and authorization management and other to look into user details. If you meant that having different services for different account then note that Having one service for taking care account is still considered as Microservice approach as there is one dedicated service to perform single set of tasks.
You can have User-Service for user information management and a authService to handle access and authorization of users. check.
I am using ASP.NET Boilerplate for its multi-tenancy support. When a user log in, I would like to present to the user the list of tenants it has access to. For instance, if a user with email admin#example.com is part of Tenant-A and Tenant-B, would like to offer the choice to switch between tenants.
This does not seem to be easily doable. Each user can be mapped to a single Tenant (AbpUsers table).
What would be the best way to allow a user to access multiple tenants? The only way I think this can be done is by adding a N:M table between User and Tenant, but then will ABP allow me to do context switching between tenants?
By design, tenant data (including users, roles...) are completely isolated from each other and can not be shared easily.
We solved this issue with "Account linking" feature in AspNet Zero. With this feature, you can connect your accounts in different tenants and then switch between accounts with a single click. It basically maps those accounts (users) in database and logs out & logs in automatically when you want to switch. See more info: https://aspnetzero.com/Documents/Development-Guide-Core#user-menu
We are working on new requirement where we need to enable features based on contract with the client. It`s a Saas based software and support multi tenancy. The software by default have basic features enabled.
Basic features
Customer management
Basic billing/invoicing
Notification via email
Payments
Advance feature
Notification over SMS
Workflow
Etc
All the client serviced by same software (Obviously same deployment ) but data will be stored on different database schema.
How to handle basic, advanced, add on, and pro feature in this case?
We are using spring and hibernate.
AFAIK, you should be handling these internally in your application so that the features like notification, workflow are marked as application features and for each tenant, there will be a mapping between the tenant id and the feature so that the tenant has access only to the features that he is subscribed to.
So, when a tenant or his user logs in to the system, we identify the features and the contents that he can access and then show them to the user. This is called as a tenant licensing system.
Also, whenever a feature is consumed, your code should be recording the tenant that consumed that feature and by how much and when and there can be cost associated with units of usage measurements.
For more detailed discussion, please refer here
Though these are all explained in C#, there should be no hinderance in the conceptual understanding.
My manager keeps talking about how I will be "developing" an Application Express "security module", however from what she told me we need to have, I don't see what there would be to develop, seeing as Apex already has authorization/groups which allow for various groups of people to see various content.
Is there something that I am missing? What does she mean by a "module", or is it just general wording?
APEX provides several different ways to authenticate users. One approach is to use the "Application Express" authentication scheme and just to create APEX users. Another approach is to use the "Database Account" authentication scheme and to create Oracle users. A third option is to create a custom authentication scheme and to implement your own user management functionality.
Application Express authentication tends to be the easiest to deploy for a small application but tends to get unwieldy over time. It's hard, for example, to give an application administrator the ability to create APEX accounts. You can't tie an APEX account in to a single sign-on solution. It's not easy to integrate with the permission management systems that other applications use. If you're deploying an application in a large company, the last thing the security department needs is one more place where they need to create user accounts, manage privileges, de-activate accounts when someone leaves or changes roles, etc.
Database authentication tends to be more scalable than APEX authentication since Oracle database account provisioning is likely already part of your organization's authentication and authorization infrastructure. On the other hand, that still means that you're creating an Oracle database user for every user you want to create in your application which probably involves a call to a DBA (technically, you could create database users from your application, but most DBAs are going to be concerned about the security implications of that). If you intend to create an internet-facing application with tens of thousands of users, database accounts may get unwieldy.
I'd wager that the vast majority of medium to large-scale APEX applications use a custom authentication scheme. That may involve creating a USER table where you store the username & the hash of the password or a query against an LDAP/ AD repository. That sort of approach provides the most flexibility since you can code whatever you'd like into the authentication system. You can hook into whatever custom authentication/ single sign-on solution the organization happens to use. It probably makes creating new users from within the application much easier (obviously depending on how the authentication system is designed).
My assumption is that your manager is expecting that you'll be writing a custom authentication scheme for your APEX applications.
I'm looking for ideas / open source frameworks to use for creating individual Analytics for user profiles and all the other profile types. Users will have different custom metrics, businesses willl have seperate metrics, the admin section will have seperate, Advertises will have seperate, etc. So basically the goal is to have 1 framework in place for all Analytics, which will be custom user to user and even use that for the system analytic needs also. It will include data analytics as there will be user ratings/reviews to perfomr data mining on for businesses, USers will have basic reporting on their needs (like friend demographics, filter by different preferences, etc).
System is being developed in cakePhp.
Thanks.
Check out myDBR reporting tool. With myDBR you can easily create reports and include them into your application. myDBR is also written in PHP and can easily be integrated into any existing web-application via Single-Sign On authentication.