Multi-tenant RBAC Quickstart
The Multi-tenant RBAC scenario is an example of how to implement an authorization policy using a hierarchical, nested relationship-based access control (ReBAC) model.
The Multi-tenant RBAC Quickstart includes:
- A domain model for Multi-tenant RBAC, including the
system
,tenant
, andresource
object types.- The
system
type is meant to be a singleton representing the entire system, which hasadmin
,editor
, andviewer
relationships, representing roles that extend across all tenants. Theadmin
role grants thecan_create_tenant
permission. - The
tenant
type represents tenants within the system. It hasowner
,admin
,editor
, andviewer
relations that grant permissions such ascan_administer
,can_edit
, andcan_view
, as well as fine-grained permissions such ascan_delete_tenant
,can_manage_members
,can_list_members
, andcan_leave_tenant
. This last permission is granted to anyone except for owners, who can only be removed by other owners. It also has permissions relating to resources - includngcan_create_resources
,can_delete_resources
,can_write_resources
, andcan_read_resources
. - The
resource
type has atenant
relation that links it to the parent tenant. It also hasowner
,writer
, andreader
relations that grant permissions such ascan_delete
,can_write
, andcan_read
. These permissions are also granted through roles on the parent tenant.
- The
- A policy instance called
multi-tenant
which uses a boilerplate authorization policy calledpolicy-rebac
. This policy simply uses the underlying relationships to determine access. - A connection to the Citadel Demo IDP, which contains five demo users based on the Rick & Morty cartoon.
- Sample object instances, including a system singleton called
The entire system
, tenants such asCitadel tenant
andSmiths tenant
, and resources such asThe Citadel adventures resource
(in the Citadel tenant) andThe Smiths family's budget
(in the Smiths tenant). Rick, Morty, Summer, Beth, and Jerry haveowner
,editor
, andviewer
relationships to the system, tenants, and resources, demonstrating a relationship-based (ReBAC) model. - A back-end API that uses the
multi-tenant
policy for authorization, implemented in several languages. - An interactive tutorial which helps construct
curl
requests to test the back-end API.
As you go through the Quickstart, you'll learn the following:
- How to instantiate the Multi-tenant RBAC template.
- How to browse the directory and examine the manifest.
- How to evaluate policy decisions within the Aserto Evaluator.
- How to download and run the Multi-tenant RBAC back-end API.
- How to construct
curl
requests to the back-end in order to test out the API.
Prerequisites
To follow this Quickstart you'll need to have an Aserto account. If you do not have one, you can create one here. Once you have created your tenant, you can continue.