We are working on a multi tenant application and are considering Shiro and I
need some advice. Let me explain a bit about the application.
The major entities in the application are,
- Customer/Tenant- Product- Deal + source tenant + target tenant
These are the following roles in the application,
- Administrator- User
The above roles are 'Customer' specific in that they only apply to the Objects
owned by the 'Customer'.
There is also a role 'Super Admin' who can manage data for any customer.
1.
To limit each customers users to their own data, I'm thinking I would need to
create multiple 'Administrator' roles like 'Administrator_Cust_A',
'Administrator_Cust_B' so that I can assign permission strings like the
following to those roles,
<customer>:<entity>:<action>:<instance>
Cust_A:Product:manage:* (Assign the permission to 'Administrator_Cust_A' role)
Cust_B:Product:manage:* (Assign the permission to 'Administrator_Cust_B' role)
and I can assign '*:*' to the 'Super Admin' role.
Is there a better way to manage this without creating these multiple
'Administrator' roles?
2.
There can also be 'Deals' between 2 customers for which the 'source' can edit
the deal and the 'target' can only view the deal. If 'Customer A' is the source
and 'Customer B' is the target of a deal, then I can have permissions like,
Assign the following permission to 'Administrator_Cust_A' role
- Cust_A:Deal:manage:*
and assign the following permissions to 'Administrator_Cust_B' role
- Cust_B:Deal:manage:*- Cust_A:Deal:view:<dealId>
Please let me know of any suggestions.
Thanks,
