https://authzed.com logo
Title
d

dguhr-rh

01/10/2023, 12:21 PM
Hey 👋 say you are providing a multi tenant platform, where some (100 to 1000) tenants (organizations) are on as "customers", and you want to use authzed as a way to provide access management from platform level over control plane level to data plane level, so use cases range from "as a platform support engineer for customer X, I need to be able to access (a subset of) X's resources when on-call" ("platform") over "as a service provider of an SaaS solution, I need to be able to set fine grained access permissions around provisioning of my service X for different customers" ("control plane") to "as a service provider inside an org, I want to use authzed as access management solution on the data plane for the users of my service." ("data plane") Other requirements are, that users could be tied to multiple tenants, e.g. user has extended rights in their "home" tenant X, but only reader rights when accessing a service tenant Y provides. To be tied to a tenant should not say anything about access control in the first place (white-listing). Hope this makes somehow sense and some people are willing to discuss a possible model for this 🙂 I've seen https://github.com/authzed/spicedb/issues/204 and understand that instance per-tenant is most secure, but somehow I am not sure it works together with the requirements of "a user can have relations to more than one tenant" and the platform level use cases.. before this gets too long, let's see if anyone has any hint how to model that, because it feels huge for me atm 😉
v

vroldanbet

01/10/2023, 12:38 PM
Hey @dguhr-rh while I don't necessarily follow some of those requirements, I'm wondering why are you considering multi-tenancy in the first place. Have you tried to do a modelling exercise with the requirements described? For example I've built in the past schemas that had the concept of a "platform" where support engineers where granted temporal access to "organizations".
physically isolated instances are not meant to interoperate with each other - you loose transactional semantics
d

dguhr-rh

01/10/2023, 12:40 PM
sure.. I'm right at the start, followed through the github yt vid and looking for some idiomatic ways. But perhaps I should just start modelling something and come back later 🙂 thanks for the quick response so-far! I think I'll try to model the concept of a platform into a scheme
an example of such a model would be awesome to orientate on, but I guess that's not available, right?
v

vroldanbet

01/10/2023, 12:40 PM
what we've heard from some customers is that the want to have multiple teams in their engineering org own a section of the schema, and let them interoperate, just like the "Google Docs embeds Youtube video" example in the Zanzibar paper: organizational units of an engineering team interoperating in the same global namespace of permissions.
>an example of such a model would be awesome to orientate on, but I guess that's not available, right? I'm not even sure I have a good grasp on all your requirements, so I wouldn't be able to find a 1:1 mapping example
d

dguhr-rh

01/10/2023, 12:42 PM
yes, that's a concept I think we also have... we call it "workspaces". think GCP projects etc. - basically an org/tenant can have multiple workspaces, where a workspace is the boundary of isolation for access management, so a user can have admin rights in their home workspace but read rights in another etc
v

vroldanbet

01/10/2023, 12:42 PM
but the "support engineer that is granted access to tenants" requirement im familiar with. I think there may be even a issue tracking it somewhere with a discussion and suggestions
d

dguhr-rh

01/10/2023, 12:42 PM
yeh, same for me. as said, I guess I'll just start modelling and see how it goes 🙂
that issue would be interesting indeed 🙂
v

vroldanbet

01/10/2023, 12:43 PM
yeah, the concept of workspace is definitely something you can model into SpiceDB. GitHub example is very similar: enterprises has orgs, orgs have repos...
then at the top you create a "platform" definition that ties all top level entities together
we'd be happy to help you out with modelling as well
d

dguhr-rh

01/10/2023, 12:48 PM
it'd be awesome to have e.g. a collab modelling session indeed if you are willing to do one 🙂 but I think I need a little more time to get familiar with authzed and also to gather better requirements. It's even a bit blurry for me, 2nd day after holidays, so have to understand the (new) problem first
v

vroldanbet

01/10/2023, 12:50 PM
sounds good! hit us when you feel more comfortable and we can do a live modelling session