Guidance on Multi-Tenant Security

Hi,
New user looking to build an Multi-tenant MVP here on Backendless codeless/UI Builder (Bubble’s recent announcements have sent me looking elsewhere!)

I’ve been reviewing the documentation, videos and support forum, but what I’ve found does not suggest how multi-tenancy is best accomplished, to preserve security against malicious actors with technical skills.

Looking for direction on available options, with their respective pros/cons.

Thanks in advance!

Business Scenario Example Structure

Tenant 1 (ABC Football Club)

  1. Admin
    User “Carl” - Able to view/edit ABC user role assignments, ABC tenancy payments
  2. Coaches
    User “Alex” - Able to view/edit ABC workouts, coaching notes for Joe and Jim.
    User “Bill” - Able to view/edit ABC workouts, coaching notes for Joe and Jim.
  3. Athletes
    User “Joe” - Able to view his assigned workouts and edit his personal profile.
    User “Jim” - Able to view his assigned workouts and edit his personal profile.

Tenant 2 (XYZ Football Club)

  1. Admin
    User “Sue” - Able to view/edit XYZ user role assignments, XYZ tenancy payments.

  2. Coaches
    User “Emma” - Able to view/edit XYZ workouts, coaching notes for Rachel and Laura.
    User “Abi” - Able to view/edit XYZ workouts, coaching notes for Rachel and Laura.

  3. Athletes
    User “Rachel” - Able to view her assigned workouts and personal profile.
    User “Laura” - Able to view her assigned workouts and personal profile.

Hello @Darryl_Patterson

Welcome to the Backendless Community!
I recommend that you read the following documentation:
https://backendless.com/docs/rest/users_user_roles.html
https://backendless.com/docs/rest/data_security.html
https://backendless.com/docs/rest/data_permissions_api.html
In your scenario you will be able to create the necessary roles for users. It is also possible to set permissions for specific users.
What makes your backend secure is the security policy you put in place on the server side. That includes how you establish permissions for different roles/operations, whether you disable access to the non-authenticated users, etc.

Regards,
Inna

Hi @Inna_Shkolnaya

Thanks for the feedback - I reviewed the above docs again but this has not helped regarding multi-tenancy.

There is no object ACL assignment by ‘role’. So cannot grant all “Coaches” access at the object level.
Since the table level would contain data for all tenants, this would wrongly give “coaches” access across multiple tenants.

If the alternative is bulk updating the ACL for all tenant related objects with all users that have the role “Coaches”, this would have to happen each time a new object is created. This is surely too resource intensive to be right, and additionally it would need to be run server-side to be secure.

Really hope I’m missing something…

@Inna_Shkolnaya

Reading further, there is conflicting information. Are you please able to provide confirmation, and a suggested method of how to implement this security policy for multiple tenants?

  • The REST documentation of the “permissions API” you provided suggests we CAN assign Object ACL by role.

  • The codeless documentation version suggests we CANNOT.

  • Forum posts suggest Object ACL by Role has been deprecated and we CANNOT use this.

  • Cloud Code > Data API contains a “Grant permission to object by role” which suggests we CAN, however this is not included in the documentation…

Hi.
At the beginning i wanted to advise look at the direction of the objectACL for specific record. But if the adding and removing controlled objects is a frequent operation, it is not a good idea (you are right).
Another approach is to use table partitioning – for each realm you use separate table. The question is: how many tenants you thing you will have?

Hi @oleg-vyalyh

The SAAS business model would be selling to sports club owners, which would each represent a new tenant.
An MVP development would probably only have <10 tenants, however with intent to scale the business this could feasibly be hundreds of tenants (or even thousands)

Thanks

I think – the table partitioning is a right approach in your case.
Each client will have separate space. You may use independent backup and restore abilities.
It also simplifies maintenance.

Thanks @oleg-vyalyh

How can I create separate tables programmatically using Codeless?
I can’t see any relevant documentation or blocks available in the editor.

Hello @Darryl_Patterson,

There’s no way to create an empty table programatically.
A new table will be created when the first object is saved into it, you can use the Save Object block from the Data API:

Screenshot 2022-03-30 at 10.33.58

Regards,
Olha