How to allow access to certain entities in multiple tenants?

[jkuek]

Hi, just seeking advice on how to implement something...

I have a multi-tenant WebAPI app managing a fleet of devices. I'm looking at migrating from a home-made authorization implementation to AuthP and have been running through the AuthP examples.

For my needs, the hierarchical tenant option is appealing: within my tenant I can create groups (sub-tenants) of units, restricting access as required. So far, so good.

However, I also want the ability to enable external monitoring by a third party at a per-device . This would mean some users need to have access to a subset of device events across all tenants, ideally in the same view (without switching context between tenants).

Can anyone provide any guidance on how best to achieve this?

Here are some options I can think of:

1. Essentially bypass AuthP for this scenario: Introduce a separate table to keep track of device-monitoring associations. Use separate authorisation handler (and separate API?) so monitoring users can view the devices they are associated with.

2. Create a monitoring tenant, add a secondary "monitoring" datakey for each device. I suspect this would require forking and customising AuthP, which would make it a non-starter for me.

3. Possibly create a "monitoring" role, and implement some filter when devices are retrieved to only show devices that are explicitly confiigured for monitoring. Does AuthP support something like this?

Any ideas welcome.

[JonPSmith]

Hi @jkuek,

I understand is you want a extra feature for monitoring each tenant, and there are many monitors linked to a specific tenant, or multiple tenants.

I can't think of anything in AuthP that could help you, so I suggest you do first option - create extra code yourself for monitoring.

[jkuek]

Thanks for the response. Yes, the ideal would be for a user with a particular role to see data from multiple tenants but only if the configuration is set for external monitoring.

From my testing, it looks like AuthP doesn't support users with access to multiple tenants, or tenant-less users (apart from Super Admin). So the only way to access multiple tenant data is to use a hierarchical tenant set-up configured with one top-level tenant that is the parent of all other tenants (and sub-tenants).

I could perhaps extend AddHierarchicalTenantReadOnlyQueryFilter() to add another parameter, allowing me to filter on additional criteria.

That way I might be able to create a "monitoring" user on that top-level tenant, and give them a permission which is then checked in the new filter.

[JonPSmith]

If that extending AddHierarchicalTenantReadOnlyQueryFilter() works for you, then go for it. That does means that you will have to update your version when .NET is updated. You might find my article called How to update a NuGet library once the author isn’t available might be useful.

I should let you that I have Alzheimer's disease (click the "See the ENDNOTE dementia and programming section at the end of this article" on the end of the second paragraph of my "How to update a NuGet library..." article to get what has happened to me. Having Alzheimer's disease means I'm only updating the AuthP app a) when a .NET comes out and b) I'm still able to code.

Also, see my X/twitter about where I am on updating my open source .NET app. I will post a new X/twitter when my .NET apps have been updated to .NET 10.

[jkuek]

Thanks for your response and I'm sorry to hear about your diagnosis.

The intent is not to modify and build AuthPermissions myself, just to add a new extension method in my code based on AddHierarchicalTenantReadOnlyQueryFilter()

Here's an (untested) example:

    public static void AddHierarchicalTenantReadOnlyQueryModifiedFilter(this IMutableEntityType entityData,
        IDataKeyFilterReadOnly dataKey, LambdaExpression? extraCondition = null)
    {
        var methodToCall = typeof(DataKeyQueryExtension)
            .GetMethod(nameof(SetupMultiTenantQueryFilter),
                BindingFlags.NonPublic | BindingFlags.Static)
            .MakeGenericMethod(entityData.ClrType);
        var filter = methodToCall.Invoke(null, new object[] { dataKey });
        entityData.SetQueryFilter((LambdaExpression)filter);
        entityData.GetProperty(nameof(IDataKeyFilterReadWrite.DataKey)).SetIsUnicode(false); //Make unicode
        entityData.GetProperty(nameof(IDataKeyFilterReadWrite.DataKey)).SetMaxLength(AuthDbConstants.TenantDataKeySize);
        entityData.AddIndex(entityData.FindProperty(nameof(IDataKeyFilterReadOnly.DataKey)));
    }

    private static LambdaExpression SetupMultiTenantQueryFilter<TEntity>(
        IDataKeyFilterReadOnly dataKey,
        Expression<Func<TEntity, bool>>? extraCondition = null)
        where TEntity : class, IDataKeyFilterReadOnly
    {
        Expression<Func<TEntity, bool>> baseFilter =
            x => x.DataKey.StartsWith(dataKey.DataKey);

        if (extraCondition == null)
            return baseFilter;

        // Combine filters
        var combined = Expression.Lambda<Func<TEntity, bool>>(
            Expression.AndAlso(
                Expression.Invoke(baseFilter, baseFilter.Parameters[0]),
                Expression.Invoke(extraCondition, baseFilter.Parameters[0])
            ),
            baseFilter.Parameters
        );

        return combined;
    }