在多租户.net项目中实现角色的最佳方法是什么？

Question

My application is .NET 4.7 Web Api with Entity Framework 6.

This is for a software as a service tool I am building. In my application there is a many to many relationship between AspNetUser and Company.

A user can have many companies, and a company can have many users. A user needs to have a different role / set of permissions based on what company it wants to work with. What is the best way to implement something like this?

I have thought about adding a CompanyId column to the AspNetUserRoles table, so a user would have a different role for different companies it is related with. I'm not sure this is a very good implementation, and it might break how authorization works so I don't want to touch it until I have a clearer understanding of how things work.

So far I have found this guide on resource-based authorization for multi-tenant applications. It seems to be what I'm looking for but it is for .NET Core, and I'm not sure if it works for .NET 4.7.

I haven't been able to find something similar for .NET 4.7 so I am reaching out to the stack overflow community.

Answer 1

If you are building it from scratch I recommend to switch to ASP.NET Core and leverage of resource-based authorization.

I will recommend to reconsider sharing database between tenants. It is not exactly great idea for SaaS applications. Unless you need to save some money and you are willing to add complexity to your code. You can read Multi-tenant SaaS database tenancy patterns .

If you want to stick with what you have I can only recommend to introduce new class Employee that will have relationship with AspNetUser and Company. That is how you manage to have single user that can be tight to many companies, but on the other side Company will have only collection of Employees.

According to roles you can do something similar to User-Employee-Company relationship. As user roles needs to be managed by application owner(you), because you are setting authorization attributes on controllers and actions you only let Company admins to pick roles you defined to CompanyRole class. Company can have many CompanyRole with many AspNetUSerRole.

Example:

You set roles SuperAdmin[someone who has absolute control over the app and data](probably you and maybe some of your fellow workers), CompanyAdmin[someone who has absolute control over the company](probably person who created the company in your app), EmployeeAdmin[someone who has granted the access to manage employees within the company](probably person from company's HR department), EmployeeReader[someone who has granted the access to read-only employees within the company](probably anyone can read info about other employees), etc. Depends on your needs and how granular your authorization permissions are or you would like to have.

Next, you let CompanyAdmin to create set of CompanyRole entries tight to his company with relationship to your roles. For example CompanyRole will be HumanResourcesAdmin and have relationship to your role EmployeeAdmin.

Next, CompanyAdmin needs to create new Employee and say this employee has those CompanyRoles. You need to pair Employee with your account(if not exists he needs to register). This can be done with invitation links over email you send after employee is created or CompanyAdmin clicks button Invite User.

Next, after user register/login you need to take care of which company he wants to be signed in and based on it you can easily add correct roles to his identity.

Is it clear?