简体繁体 English

多租户用户模型

[英]Multi-tenant User Model

原文 2010-08-14 23:23:58 2 2 c#/ asp.net/ saas/ multi-tenant

In a multitenant system that hosts multiple organizations and applications, where an organization may use several applications hosted on the system, should my user and role model be such that a single user or role can exist across multiple applications and organizations? 在托管多个组织和应用程序的多租户系统中，组织可以使用系统上托管的多个应用程序，我的用户和角色模型是否应该可以跨多个应用程序和组织存在单个用户或角色？ Or should I limit a user entity to a single organization/application pair and then define some overarching model to tie those user entities together? 或者我应该将用户实体限制为单个组织/应用程序对，然后定义一些总体模型以将这些用户实体绑定在一起？

That is: 那是：

John Doe is a person 约翰·多伊是一个人
He wants to use ApplicationA and ApplicationB 他想使用ApplicationA和ApplicationB
He works for two different companies (just bear with me), OrganizationA and OrganizationB 他为两家不同的公司（只是承担我），OrganizationA和OrganizationB工作

Should the user model be: 用户模型应该是：

johndoe@someuniquesuffix is his unique user name. johndoe @ someuniquesuffix是他唯一的用户名。 This gives him access to both applications for both organizations. 这使他可以访问两个组织的两个应用程序。
johndoe@applicationa@organizationa is his username for ApplicationA at OrganizationA. johndoe @applicationa @ organizationa是他在OrganizationA的ApplicationA用户名。 johndoe@applicationb@organizationa is his username for ApplicationB at OrganizationA...and the same for OrganizationB. johndoe @applicationb @ organizationa是他在OrganizationA的ApplicationB的用户名......对于OrganizationB也是如此。 Then have some "master" list that says that all 4 user accounts for the apps/orgs correspond to the same actual "person", John Doe? 然后有一些“主”列表，说明应用程序/组织的所有4个用户帐户都对应于相同的实际“人”，John Doe？

The same scenario(s) described above applies to how I will design my Role schema. 上述相同的场景适用于我将如何设计我的角色架构。

Thanks for any asistance! 谢谢你的帮助！

2 个解决方案

IMO, you should limit each set of credentials to an organization. IMO，您应该将每组凭据限制为组织。 Further, you should enable the ability for each application to restrict what users within that organization can do with each application. 此外，您应该使每个应用程序能够限制该组织中的用户可以对每个应用程序执行的操作。 Ie, each application should manage its own authorization roles. 即，每个应用程序都应该管理自己的授权角色。 You need some means to handle the scenario where Joe leaves Organization A but continues to work for Organization B. 您需要一些方法来处理Joe离开组织A但继续为组织B工作的场景。

Personally I think that keeping track that John Doe is one person that works both at Organization A and at Organization B complicates things significantly, without adding much value to the most cases . 就我个人而言，我认为跟踪John Doe是一个在组织A和组织B都工作的人，使事情变得非常复杂，而不会给大多数情况增加太多价值。 Unless you have a clear business reason to understand in your model that A's John Doe is the same as B's John Doe, I'd steer away from it. 除非你有明确的商业理由在你的模型中理解A的John Doe 与 B的John Doe 相同，否则我会避开它。 Maintaining your user database across all orgs, having to deal with unique names across orgs ('What do you mean there is already a John Doe? that's not me!') and having the UI model this (eg. asking the user at login 'do you want to work on A's data today or on B's data?) just adds significant complications. 维护所有组织中的用户数据库，不得不处理orgs中的唯一名称（'你的意思是已经有一个John Doe？那不是我！'）并且拥有这个UI模型（例如，在登录时询问用户'你想今天使用A的数据还是B的数据？）只会增加很多复杂性。

The one drawback of my recommendation is that if you use a 3rd party authenticator like OpenID or OAuth then a person that has multiple tenants has to log in with different IDs. 我建议的一个缺点是，如果您使用第三方验证器，如OpenID或OAuth，那么拥有多个租户的人必须使用不同的ID登录。 Eg. 例如。 I log in with my google openId I end up on A's data, but to work on B's I need to use my Twitter account, because my Google id is already tied to A and only A. 我使用google openId登录我最终得到了A的数据，但是为了处理B，我需要使用我的Twitter帐户，因为我的Google ID已经绑定到A而且只有A.