Hi everyone, can someone give some architecture advice regarding managing roles in a multitenant app (independent of Keto). Basically all my tenants have default roles, they can also custom roles made by themselves. The idea would be that I can update the default roles when the features or business needs of my app changes. How would you update those roles? I was thinking of doing it when the application bootstraps, it this a good idea? Maybe it is not maintainable on an application with multiple containers

I would define roles and permissions separately. So when you say someone has the default role admin, that never changes. But the permissions of admin can change depending your product needs.

let's say you have one admin role for each tenant (multi tenant saas app). At which stage of your app lifecycle would you update those permissions? The idea I came up with is checking when someone of this tenant makes a request and have some kind of table that tells me if the roles of this tenant are outdated, and if they are, we update them. I could use caching to avoid doing this check in every single http request

hm does that mean you have side effects even on simple GET requests? seems a bit like an anti pattern... maybe just run a "migration" process that gradually applies changes across all tenants? or just have a single source of truth for default roles. so that you only have to update that one

True. I considered the single source of true approach at the beginning, but had some problems with the idea I had. I am going to give some extra though to it. The migration would be the easiest one I guess, but I would like to avoid migrating on every deploy. Although I doubt we will have more than 100 tenants by the end of 2022 since it is a B2B startup... So going for the migration should not be a problem.

sure, np