Multi-tenancy tenant admin

Adam_Klima · August 28, 2016, 9:56pm

Hello,
I am currently discovering the possibilities of multi tenant feature of camunda and I have come to few questions about it. I would like to use more tenants per single process engine multitenancy.

The question is can I restrict a tenant admin to only be able to grant some authorizations? Eg. If an user has an authorization authorization he can grant himself a tenant and tenant membership authorizations as well and become all tenant admin. This is something what I want to restrict. Is it possible to do this via a resource id like “DENY tenantMembership” or something?

Similar problem comes with user administration I would like to set tenant admin to be able to administer only the users which belong to his tenant. But I don’t want the tenant admin to be able to do anything about users of other tenants.

Is something like this possible? Or should I rather use the one process engine per tenant approach?

Thank you
Adam

Philipp_Ossler · September 5, 2016, 8:57am

Hi Adam,

currently, it is not possible to restrict the grant authorization for specific resources. So if a user / group is allowed to create authorizations then he can create an authorization for any resource.

You can reach this by creating one user permission for every user which belongs to the tenant of the tenant admin. Note that this only works if the tenant admin is not allowed to create authorizations.

Currently, your use case is not well covert by the process engine and you have to provide these additional logic by your own. The process engine only provides a way for members of the group camunda-admin to access all tenant data.

Best regards,
Philipp

Adam_Klima · September 6, 2016, 9:56am

Thank you for the reply. I will go the way of multiple process engines for now. But this might be a good place for possible future improvement.

Adam

system · January 30, 2024, 10:40am