How to model multi-tenancy where the same user (logged in user that is) can have multiple tenant-users, each with a different set of permissions?

[OsmanMElsayed]

Hi folks,

I'm working with a multi-tenant app, where there are these entities:

• Principal (identified by the sub claim from a JWT token)
• Tenant
• Tenant-User

Where:

• The principal, can access multiple tenants (i.e. it can have zero or more associated tenant users). Where in each one of those tenants, the set of permissions are scoped to the tenant user linked to the principal.
• Coming to the more interesting part: The principal, can have multiple users within the same tenant with different set of permissions

What I want to achieve:

• I want to do authZ checks to verify that the tenant user has a certain relation with the tenant - I cannot do this check at the level of the principal because the principal can be associated with multiple tenant-users in the same tenant
• I want to ensure that the principal is associated with the tenant user - otherwise the principal can access any tenant user
• I want to perform these two checks in one check request, ideally, as I want to avoid batching multiple checks.
• I want to be able to do a reverse index query, i.e., "give me all the tenant-users that the principal is associated with".

The best I could come up with is to used conditions and contextual tupples:

model
    schema 1.1

  type tenant_user
  
  type tenant
    relations
      define member: [tenant_user with valid_current_principal_context]
      
      define reader: [tenant_user] and member
      define writer: [tenant_user] and member
      
      can_manage_users: writer
      
  condition valid_current_principal_context(tenant_user_linked_principal_id: string, current_principal_id: string) {
    tenant_user_linked_principal_id == current_principal_id
  }

Example of tuple stored in DB:

- user: tenant_user:john_doe
  relation: member
  object: tenant:acme
  condition:
    name: valid_current_principal_context
    context:
      tenant_user_linked_principal_id: 00000000-0000-0000-0000-000000000000

The check:

- user: user:john_doe
  object: tenant:acme
  context:
    current_principal_id: 00000000-0000-0000-0000-000000000000 # Comes from the principal's active session
  assertions:
    member: true

I've super curious would you approach this?

[aaguiarz]

Hi @OsmanMElsayed

I don't think I fully understand the scenario, but it seems you should be able to model it without conditions, using contextual tuples, in a way similar to this https://openfga.dev/docs/modeling/organization-context-authorization

You can send a contextual tuple restricting access of that tenant-user to a single tenant tenant, for example.

Let me know if that works.

[OsmanMElsayed]

Thanks for the response @aaguiarz.

I know the scenario is a bit convoluted 😓. Let me try to explain it in a DB relations form, may be this will make it easier to understand.

This is is how the tenant-user table looks like:

Tenant ID	Tenant user ID	Principal ID	Can read	Can write
tenant-1	tenant1-user1	principal-1	true	true
tenant-1	tenant1-user2	principal-1	true	false
tenant-2	tenant2-user1	principal-1	true	true

The principal ID is basically the sub provided in the JWT token issued after logging in. From the table above, principal-1 can access 3 tenant users.

The highlight here is that 2 of these users belong to the same tenant (tenant-1) and the two tenant users have different permissions.

Because of that, I guess I cannot model my authZ in terms of the relation between the principal and the tenant. Since principal-1 <-member-> tenant-1 won't have enough specificity to differentiate between the two tenant-user permissions.

I hope it makes more sense.
Thanks again for the help 🙏

[aaguiarz]

When you are making an API call, are you authorizing that the "tenant user id" (tenant1-user2) can perform a specific action on a tenant? e.g. check(user: user:tenant1-user2, relation: can_write, object: tenant-1)?

[OsmanMElsayed]

Yes, exactly.

I think I have no option other than going this way, even though I initially I hoped for doing check(user: user:principal-1, relation: can_write, object: tenant-1). But then it hit me that it's not even possible with the way how our system is designed.

[aaguiarz]

It seems that the permissions are defined at the user level, not principal level, right?

Do you want to confirm that the principal and the tenant-user that are in the JWT are actually linked somehow in OpenFGA?

Would this work?

# Adds support for Groups:
#   - Editors and Viewers can be assigned to groups
#   - Groups can be nested

model: |
  model
    schema 1.1
    
  type tenant-user

  type principal
    relations
        define user : [tenant-user]

  type tenant
    relations
        define can_write : [tenant-user]
        define principal_in_context: [principal]

        define reader : [tenant-user] and user from principal_in_context
        define writer : [tenant-user] and user from principal_in_context


tuples:
  # Tuples for basic example
  - user: tenant-user:tenant1-user1
    relation: reader 
    object: tenant:tenant-1

  - user: tenant-user:tenant1-user1
    relation: writer 
    object: tenant:tenant-1

  - user: tenant-user:tenant1-user2	
    relation: reader 
    object: tenant:tenant-1

  - user: tenant-user:tenant2-user1
    relation: reader 
    object: tenant:tenant-2

  - user: tenant-user:tenant2-user1
    relation: writer 
    object: tenant:tenant-2

  - user: tenant-user:tenant1-user1
    relation: user
    object: principal:principal-1

  - user: tenant-user:tenant1-user2
    relation: user
    object: principal:principal-1

  - user: tenant-user:tenant2-user1
    relation: user
    object: principal:principal-1

tests: 
  - name: Test with tenant:1
     # This would be sent as a contextual tuple based on the content of the JWT
    tuples:
      - user: principal:principal-1
        relation: principal_in_context
        object: tenant:tenant-1

    check:
      - user: tenant-user:tenant1-user1 
        object: tenant:tenant-1
        assertions:
          reader : true
          writer : true

      - user: tenant-user:tenant1-user2
        object: tenant:tenant-1
        assertions:
          reader : true
          writer : false

      # This is false as tenant2-user1 can't access it
      # if the call is for tenant:tenant-1
      - user: tenant-user:tenant2-user1
        object: tenant:tenant-1
        assertions:
          reader : false
          writer : false          

[OsmanMElsayed]

This looks great!

It seems that the permissions are defined at the user level, not principal level, right?

Correct

Do you want to confirm that the principal and the tenant-user that are in the JWT are actually linked somehow in OpenFGA?

Correct! This is exactly what we want. As it will allow us to do list_users(object:principal:principal1, relation: user) which is needed for the tenant user switcher UI.

Would this work?

Definetly!

Thank you very much! Your help is highly appreciated :)