Hey 👋 say you are providing a multi tenant platform, where some (100 to 1000) tenants (organizations) are on as "customers", and you want to use authzed as a way to provide access management from platform level over control plane level to data plane level, kinda "one thing to rule them all" style, so use cases range from "as a platform support engineer for customer X, I need to be able to access (a subset of) X's resources when on-call" ("platform") over "as a service provider of an SaaS solution, I need to be able to set fine grained access permissions around provisioning of my service X for different customers" ("control plane") to "as a service provider inside an org, I want to use authzed as access management solution on the data plane for the users of my service." ("data plane") Other requirements are, that users could be tied to multiple tenants, e.g. user has extended rights in their "home" tenant X, but only reader rights when accessing a service tenant Y provides. To be tied to a tenant should not say anything about access control in the first place (white-listing). Hope this makes somehow sense and some people are willing to discuss a possible model for this 🙂 I've seen https://github.com/authzed/spicedb/issues/204 and understand that instance per-tenant is most secure, but somehow I am not sure it works together with the requirements of "a user can have relations to more than one tenant" and the platform level use cases. Also I think visibility might get hard when you have something like a "my access" tab that should provide you with an overview about everything you have access to, no matter the tenant. This would imply multiple calls to different instances and then aggregating i guess.. before this gets too long, let's see if anyone has any hint how to model that, because it feels huge for me atm 😉

Hey @dguhr84 while I don't necessarily follow some of those requirements, I'm wondering why are you considering multi-tenancy in the first place. Have you tried to do a modelling exercise with the requirements described? For example I've built in the past schemas that had the concept of a "platform" where support engineers where granted temporal access to "organizations".

sure.. I'm right at the start, followed through the github yt vid and looking for some idiomatic ways. But perhaps I should just start modelling something and come back later 🙂 thanks for the quick response so-far! I think I'll try to model the concept of a platform into a scheme

what we've heard from some customers is that the want to have multiple teams in their engineering org own a section of the schema, and let them interoperate, just like the "Google Docs embeds Youtube video" example in the Zanzibar paper: organizational units of an engineering team interoperating in the same global namespace of permissions.

yes, that's a concept I think we also have... we call it "workspaces". think GCP projects etc. - basically an org/tenant can have multiple workspaces, where a workspace is the boundary of isolation for access management, so a user can have admin rights in their home workspace but read rights in another etc

but the "support engineer that is granted access to tenants" requirement im familiar with. I think there may be even a issue tracking it somewhere with a discussion and suggestions

yeh, same for me. as said, I guess I'll just start modelling and see how it goes 🙂

yeah, the concept of workspace is definitely something you can model into SpiceDB. GitHub example is very similar: enterprises has orgs, orgs have repos...

it'd be awesome to have e.g. a collab modelling session indeed if you are willing to do one 🙂 but I think I need a little more time to get familiar with authzed and also to gather better requirements. It's even a bit blurry for me, 2nd day after holidays, so have to understand the (new) problem first

sounds good! hit us when you feel more comfortable and we can do a live modelling session