I am working on designing a web application for our customers where each customer has a unique portal into the system. Each customer needs to be able to manage their own set of users without concern for other customer's users, thus two different customers need to be able to both have a user jasonsmith.
At the same time, one customers show NOT have any knowledge of the other customer's existences, nor that this is a multi-customer system.
What are the standards today for implementing such a system? Where should I go to learn more about how best to implement such a system.
What you are talking about is called multitenancy.
There are several approaches to this.
Most common approaches are:
Single database
All tenants share the same database. You'll therefore have one tenants table with the information about all tenants. All other tables uses the tenantid as a foreign key.
The problem is that you have to make sure that the user only accesses it's own information (the user can for instance try to change the id in the uri). You'll therefore have to validate each object that the user has tries to access.
Multiple databases
Some database engines (like RavenDB) can handle several databases without a problem. That means that each customer get's its own database (which you load at the beginning of each request after the user have been identified).
So you'll have one db users during the authentication to be able to identify the tenant and one database per customer.
The upside with this solution is that it's impossible for the tenants to access each others database. (unless they've hacked the account)
Related
I'm building my first MVC5 application for Azure and have tracked down all the parts and pieces I need to put it together (User accounts, scaffolding, roles, etc) except one. I need to have users placed in "workgroups" and each user in the workgroup can only see the data associated with that workgroup. For instance, if I have a simple Cars model, users in workgroupA can add/remove/change cars but only within workgroupA. Users in workgroupB would not see any of that data at all when they log in.
C# programming isn't an issue for me, just getting familiar with MVC5. I have previously accomplished this with Django and its built in group management, but need to move to MVC5 and can't seem to find an example that gets me close enough. Can anyone point me toward the best practices for this?
I'm working on a multitenant project management application in ruby on rails and am a bit bogged down with implementing access for users who might not belong to a specific tenant.
For example we have the users Bob and Martha and they belong to a tenant A - alternatively there are two other users namely Jim and Jill who belong to Tenant B. Now we have a client called Mark who is a client to both tenants. Both tenants have projects and I need to build in an accessible form for the client so the client can sign in and view his projects. The thing is that I don't want and obviously no client would want a seperate login for each tenant here. I'm interested in coding the tenant management by myself here however I'm a bit bogged down on how to implement this.
I'm implementing row based tenancy i.e every model would have a reference to the tenant model here and signed in users can edit and add whatever belongs to their tenant. However with respect to a client or a possible case of a consultant user who might require access to more than one tenant - how do I set up the structure here.
Ideally a client would want to be able to sign in and view a list of all projects differed by tenant/company. How can I set up this structure? Also I want to keep this open ended such that it is possible that a user from TenantB might also be a client to TenantA.
The thing is that I don't want and obviously no client would want a seperate login for each tenant here.
They actually do want this, mainly for legal, auditing or security reasons.
Multi-tenancy exactly means the separation of data. So during login or right after that you choose a tenant. After that you only see data exactly of this tenant. There is no break-out later: It's possible to switch to another tenant, but not to merge data of different tenants.
If this is not what you want, consider to redesign your data model: There could be assignments between projects and persons. Customers can have their "own" projects by having a foreign key in projects linking back to the customer. This data model approach differs from using a multi-tenancy approach which is actually a technical means to separate data on row or instance level.
I am learning ASP.NET MVC 3 and trying to create a web application where users can upload some data and manage it.
Here is my problem:
I need to associate users to data in my database therefore I need users to have unique ids. However, users need to be able to log in from multiple membership providers (sql and ldap). So I can't assume their ProviderUserKey is unique nor can I assume what type it is.
What I need is some way to merge the users provided by the different membership providers into one user class that has unique user ids usable in my database. Can anyone give me some pointers on how to do this?
I am new to ASP.NET MVC 3 framework, so I don't know if something like this already exist or not.
E: I want the business logic to be oblivious to how the user logged in. It shouldn't matter to it.
Their ldap email address could provide a good unique identifier, I have used this in a similar situation.
Currently working on a web application in ASP.NET, MVC3 that allows people to view items, and change anything. This is with using my own database that I have created, but this I have found is good for generally viewing anything on the application but not good for security purposes to prevent them seeing particular things, and I do not want to waste my time removing tables and re-adding them.
So... Is there a way to communicate between the ASPNETDB and my own Database which would allow users to login to the web application but also sign up as a customer?
I would solve this using database roles, and only grant the appropriate roles to the user used to login to the two databases.
You have very granular control over what you want a db user to have access to.
Read up on databases and db roles
I am creating an Asp.net MVC application and I'm currently using the built in Authentication/Authorization code that comes with the sample MVC app. For the most part this is working ok and I kinda understand what's going on.
What's concerning me though, is that now I kind of have my users stored in two different tables across two databases. i.e. I have users in my App's database that represent the "Customer" entity in the application, as well as the "User" in the Authentication database that's used to log in someone to the app.
Should I take the logged in user's User.Identity.Name value and do look up in my Customers table or should I merge them into one table? What's the best practice way of handling this?
Please forgive my ignorance - this is the first time I'm working with a system like this.
Any feedback is greatly appreciated!
It's helpful to think of credentials and the records that associate a person to application data as two very different things. Depending on the application, your Customer may not have credentials to log in or you may have an administrative User that logs in but isn't related to your application data.
Separate credentials are also useful if Users access more than one application with different rights for each.
For these reasons, I'd keep Customer and User separate and look one up from the other where appropriate.
You can extend the .Net Membership Provider to take all the information you want and post back in a single model I think.
See this one ASP.net Profiles and Membership - Custom Providers or should completely I roll my own?
And this one How to implement ASP.NET membership provider in my domain model