Hey! Has anyone managed to create a robust multitenant RBAC system using Ory Keto? Running a separate Keto instance for each tenant is not an option for me.

While you can, I’m of the impression that it’s probably safer not to do it that way. Remember:

can != should

But technically speaking it is possible to have multiple tenants since Keto operates on UUIDs for objects. The problem is if you ever use “human-readable-names” for object or subject-ids, a name-uuid-mapping is created for that name. The issue with that is that name now resolves to the same uuid for the platform. This would make it very difficult to avoid cross-tenant pollution. But technically speaking it’s possible. But that doesn’t mean you won’t run into serious headaches in the process. (As an aside, one idea could be to prefix every object ID or subject ID with the tenant so you can form some kind of pseudo-composite unique key)

Hey! @witty-holiday-65473 Yes your idea works. I have implemented that already. Every role, permission, and other entities are prefixed with the tenant ID. But I hate it. I was looking for a better way.

why do you hate it? is it because it looks ugly? i would agree that visually it makes the tuples long and unwieldy. to be fair though, i cannot think of a case where one would need to manually handle tuples.