Replies: 1 comment
-
|
@san-perfo we are looking for a similar approach, how did things work out? were you able to achieve this with hasura? |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
We're building a SaaS Multi tenant product with Hasura. For smaller organizations we use a single Database model with organizations and users under those organizations with their associated data. We're currently building "Role Based Access Control Configuration" feature in the org admin Panel with which a ORG admin can create ROLEs and Associate permissions to the created role. And then he/she can assign this roles to any users within his/her organization.
For example Org admin can create a "Moderator" role and assign permissions like "Can Create User" And "Can Delete Article" to that Role for his organization.
We're currently working on a game-plan to implement this using Hasura's Permission module metadata API and Needed expert opinion on it. We are thinking of two ways in implementing it.
First Approach:
Using Hasura Metadata API and create roles and permissions by mapping App specific permission-set like "Can Create User" to the JSON payload Hasura understands and create roles with permission. We need to do something extra to make sure the roles are unique, like append ORG specific keywords to role (like ORG2_Admin)( Another complexities to handle are roles which may result in different configuration on same table.. we'll probably handle that by mapping logics in the backend)
With this method we'll be adding more and more roles to the hasura gql engine and I'm not sure it's a right thing to do or is there any limitations on the number of roles we can create etc.
Second Approach:
Create "Can Create User" or "Can Delete Article" as roles in Hasura and then use the experimental "Inherited Roles" API to create Organization specific roles. With this approach also We'll be adding more roles to the engine as new organizations come in.
We're also planning to give a set of default roles to each organization to use but the likelihood of editing the role's permission or creating new role for the organization is more given the nature of the product. Which will again result in tracking roles specific to organization.
Please let me know what's the best way we can implement this.
Beta Was this translation helpful? Give feedback.
All reactions