https://www.ory.sh/ logo
#talk-keto
Title
# talk-keto
h

happy-magician-21721

01/21/2022, 10:13 AM
Hi everyone, can someone give some architecture advice regarding managing roles in a multitenant app (independent of Keto). Basically all my tenants have default roles, they can also custom roles made by themselves. The idea would be that I can update the default roles when the features or business needs of my app changes. How would you update those roles? I was thinking of doing it when the application bootstraps, it this a good idea? Maybe it is not maintainable on an application with multiple containers
s

steep-lamp-91158

01/21/2022, 10:45 AM
I would define roles and permissions separately. So when you say someone has the default role admin, that never changes. But the permissions of admin can change depending your product needs.
h

happy-magician-21721

01/21/2022, 2:50 PM
let's say you have one admin role for each tenant (multi tenant saas app). At which stage of your app lifecycle would you update those permissions? The idea I came up with is checking when someone of this tenant makes a request and have some kind of table that tells me if the roles of this tenant are outdated, and if they are, we update them. I could use caching to avoid doing this check in every single http request
s

steep-lamp-91158

01/21/2022, 3:10 PM
hm does that mean you have side effects even on simple GET requests? seems a bit like an anti pattern... maybe just run a "migration" process that gradually applies changes across all tenants? or just have a single source of truth for default roles. so that you only have to update that one
h

happy-magician-21721

01/21/2022, 3:28 PM
True. I considered the single source of true approach at the beginning, but had some problems with the idea I had. I am going to give some extra though to it. The migration would be the easiest one I guess, but I would like to avoid migrating on every deploy. Although I doubt we will have more than 100 tenants by the end of 2022 since it is a B2B startup... So going for the migration should not be a problem.
Thanks for the advice
s

steep-lamp-91158

01/21/2022, 3:31 PM
sure, np