Advise on right type of SC security in multi tenant situation

maximnl · September 7, 2021, 10:36am

i am expanding some apps from a single customer to multi tenant ,
can any one check my questions?
1 - what is a better authentication ,- user, app or groups? most examples are on group auth but in multi tenant situation , a tenant admin needs to manage their sub tenant users.

2 - when a tenant is authenticated , i keep the current tenant id as a global variable for data filtering. is it safe ? can users access the session data and change the current tenant/global variables and be able to see other tenants data?

thanks all in advance,
have a great day!

aducom · September 7, 2021, 8:45pm

Ad1: I always use the most expanded security, even for simple cases. You can set it up to have one group in that case and it makes life easier when you need to expand your application. What I mean is that with the full setup you are still able to perform the simple login if required.

Ad2: Not sure what you mean if it is safe. If you have a global variable that is used to filter for instance the department of the employees belonging to a certain manager, then you must not forget to apply the filter every time you make a new form, or if you produce your reports. But if you do it carefully then it is safe to a certain extend. Any issue that destroys the global variable will expose the data to others. Users cannot access session data to change their global variable unless you have made some kind of error in your application.

maximnl · September 8, 2021, 9:21am

thank you very much, exactly on the point. in point 2 I was worrying that the users can edit somehow the session variables and in this case there is a risk tenants accessing other tenants data (by substituting other tenant ID). I was thinking of making tenant id a GUID but somehow SC was not handling this type in combination with SQL Server.

I had an impression you are from the Netherlands too? would be awesome to have a SC network here. ik woon in Arnhem

aducom · September 8, 2021, 10:09am

I’m from Groningen and am team-lead at the University of Groningen where we have a 10-user license. I have abandoned my personal license of SC for a number of reasons, but perhaps through a pm?

aducom · September 8, 2021, 10:46am

mmm, thought I had send a pm to you, but it’s gone. But if you like to contact me send an email to a dot drent at aducom dot com.