Associate user with Tenant via ACLs

[RyIot3329]

Having some issues on associating a created user with a tenant with the ACLs. Can you possibly explain the workflow for this? And maybe an explanation on defGroups and proper use of the ACLs and namespaces?

[goxiaoy]

The ACL concept of kit is defined as:

subject	namespace	object	action	tenant	effect
Which subject does this acl belong to. Could be user/role/token/client/tenant... https://github.com/go-saas/kit/blob/main/pkg/authz/authz/subjects.go	The namespace of object or the kind of object. For example user.user, saas.tenant	object id	read/write/delete...	tenant id	grant/forbiden

This is implemented by casbin

For example, to define a role has the permission of read users, you can add an ACL like

subject	namespace	object	action	tenant	effect
role/<role_id>	user.user	*	read	<current_tenant_id>	grant

( * means any)

---

defGroups is only a ui-friendly design to achieve role-based access control( edit role permissions) like this

---

User-based ACL is exposed by low-level PermissionService api in https://github.com/go-saas/kit/blob/main/openapi/kit-merged.swagger.json
But it is not implemented in management UI, If you want to control one's permission, you can edit the roles of this user for now. If you want this feature, I can make a plan and implement it later

[RyIot3329]

Ok I think I understand now. So if I have an architecture like this:

Is this the correct workflow for each user in this scenario?

Create User POST /v1/user
Create needed roles POST /v1/role
Create with the correct namespace permissions for read/create/update with associated tenant IDs POST /v1/permission/subject
Update role with newly created permissions PUT /v1/role/{id}/permission
Update user to new role PUT /v1/user/{user.id}

I think I may be incorrect here but wanted to explain my general thinking.

[goxiaoy]

Ok I think I understand now. So if I have an architecture like this:

Is this the correct workflow for each user in this scenario?

Create User POST /v1/user Create needed roles POST /v1/role Create with the correct namespace permissions for read/create/update with associated tenant IDs POST /v1/permission/subject Update role with newly created permissions PUT /v1/role/{id}/permission Update user to new role PUT /v1/user/{user.id}

I think I may be incorrect here but wanted to explain my general thinking.

Basically you are right. And I notice that user 2 joins two different tenants. You should create different roles in these two tenants, and set the role separately

[RyIot3329]

Ok got it. I think I may still be having issues. Could you walk me through a scenario of:

Creating a new tenant
Creating a read only role for tenant
Creating User and assigning read only role

I apologize but I am still a little confused on the steps it takes.

Thank you

[goxiaoy]

• POST /v1/saas/tenant
• Switch to this tenant by adding header/cookie... __tenant= or just post /v1/saas/change-tenant/{idOrName} which returns set-cookie header
• POST /v1/role to create new role
• PUT /v1/role/{id}/permission or PUT /v1/role/{role.id} to change role permission
• POST /v1/user to create user with associated role

You can also do this by the admin-ui

[RyIot3329]

Thank you for the guidance. Through the admin-ui, I create a new tenant and then go to System Management -> Role management and attempt to add a new role and get this error

Error 1062 (23000): Duplicate entry 'bc9d455f-7989-43d2-b7dc-ac7e21bc4bd4' for key 'roles.idx_roles_tenant_role'

There are no other roles in this tenant so not sure where it is getting the duplicate key from

[goxiaoy]

Thank you for the guidance. Through the admin-ui, I create a new tenant and then go to System Management -> Role management and attempt to add a new role and get this error

Error 1062 (23000): Duplicate entry 'bc9d455f-7989-43d2-b7dc-ac7e21bc4bd4' for key 'roles.idx_roles_tenant_role'

There are no other roles in this tenant so not sure where it is getting the duplicate key from

Sorry, fixed