I think you need to put the tenant level data access down at the dao level in your application and your shiro Realm would use those daos such that the current tenant is not known or cared about by Shiro. In this case you would not need Administrator Cust A, Administrator Cust B.. to Shiro you would load a user and obtain their roles but this data unbeknown to Shiro happens to be tenant specific since the db queries are tenant specific (tenant separation controlled by some other means).
What I really mean above is that having tenant data independence controlled by the security level is less preferable IMO to constructing your data access queries such that it would never be possible for one tenant to be able to access the data belonging to another tenant. Marcus. From: Bellan Saravanan [mailto:[email protected]] Sent: 29 December 2011 10:16 To: [email protected] Subject: multi tenant authorization We are working on a multi tenant application and are considering Shiro and I need some advice. Let me explain a bit about the application. The major entities in the application are, - Customer/Tenant - Product - Deal + source tenant + target tenant These are the following roles in the application, - Administrator - User The above roles are 'Customer' specific in that they only apply to the Objects owned by the 'Customer'. There is also a role 'Super Admin' who can manage data for any customer. 1. To limit each customers users to their own data, I'm thinking I would need to create multiple 'Administrator' roles like 'Administrator_Cust_A', 'Administrator_Cust_B' so that I can assign permission strings like the following to those roles, <customer>:<entity>:<action>:<instance> Cust_A:Product:manage:* (Assign the permission to 'Administrator_Cust_A' role) Cust_B:Product:manage:* (Assign the permission to 'Administrator_Cust_B' role) and I can assign '*:*' to the 'Super Admin' role. Is there a better way to manage this without creating these multiple 'Administrator' roles? 2. There can also be 'Deals' between 2 customers for which the 'source' can edit the deal and the 'target' can only view the deal. If 'Customer A' is the source and 'Customer B' is the target of a deal, then I can have permissions like, Assign the following permission to 'Administrator_Cust_A' role - Cust_A:Deal:manage:* and assign the following permissions to 'Administrator_Cust_B' role - Cust_B:Deal:manage:* - Cust_A:Deal:view:<dealId> Please let me know of any suggestions. Thanks,
