Advice on structuring my app

[Leonel Câmara]

I'm in the process of turning an application that was used by a single organization into one that will be used by many, I'm using regular Auth and auth groups to manage which users can do what according to what groups they have memberships on.  

  

The first problem I'm facing is that the users that belong to a given auth_group will now only belong to that group in a given organization, which I guess would also be a problem with regular auth functions. 

Another problem is that I want the organizations to be able to share some of their data with another organization.  

  

So, right now, I'm considering what would be the best architecture for the application.  

  

One idea would be to store the organization the user is currently browsing with (no reason to limit that one user can only belong to one organization) in session, then I would have to check in each controller if the user has the right group and organization for what he wants to do, this would pollute my code somehow.  

  

Another idea is for each organization to become a group, then what I use groups for right now will be permissions, this is probably the best route. This would still leave the problem of making the user see the right data depending on which organization he is currently browsing with.   

  

Any advice on how to do this as cleanly as possible in terms of code?

[Jim S]

Is there a reason why the Multi-tenancy or Common Filters wouldn't work?

http://web2py.com/books/default/chapter/29/06/the-database-abstraction-layer#Common-fields-and-multi-tenancy

I've used common filters in the past with success.

-Jim

[Leonel Câmara]

I'm not sure I want to restrict each organization to a single domain yet. But yes it's a possibility, I don't need to necessarily use the domain name to do the filtering. Although I would also like them to be able to optionally share some data among them so I would also need to solve that problem.  

  

So basically, be able to do multitenancy within a single domain or with organizations being able to have more than one domain and sharing.

[Jim S]

I think you could accomplish that with the _common_filter.  That is what I did on the app where I used it and it worked well.

-Jim

[icodk]

Can a user be a member of several organizations ?

Who  is managing organizations?

How somebody get to be a member of an organization ?

With very little information available I would have an organization table and each newly registered user will get his own organization and will be his organization's admin. Each organization will have an invitation table  in which the admin can invite other users by sending them an invitation mail.

Invited user will get a mail with a link to join the organization. Clicking the link will activate a controller that add the user to a organization membership table.

In the invitation table the admin can also set permissions for each invited user. This way the admin can also revoke an invited user. All organization's data will be protected by common filter but shared data will not.

Hope it is helpful to some

If yes then you should have 

[Leonel Câmara]

Yes a user can be a member of several organizations which needs to approve him and decide on what permissions the user will have, each organization is managed by users with admin powers within that organization. 

[Ramkrishan Bhatt]

each organization to become a group, then what I use groups for right now will be permissions, this is probably the best route.

This Idea will work now about data access also we need maintain Controller function which will filter out the data based on organization before serving to user.

We can also put filter function on model so before serving data we can validate appropriate data for the user.

Let me know if you better solution , I may need in near future.

One more thing we can do that is use sapratly manage role based access control rest based applications where we can maintain each user as single identity and common role for multiple user.

[Val K]

Hi, here is my solution:

There are some abstract actions like view/edit/delete/upload/download and so on

There are the roles that define combinations of the actions - it's the table that has 'value' bit field  - each bit corresponds to the action

There are the groups and two  symmetric relation tables: user_group_role , object_group_role , object means anything on which could be performed the actions

Now, the set of allowed actions on the object for the user  could be calculated:  

 - find `intersection` (common) groups of user and object (inner join on group)

 - logical AND  of role.value pairs : user_group_role AND  object_group_role = user_object_common_role  

allowed_actions_set = logical sum of   user_object_common_role  (aggregate bitwise OR )  

for example:  user has membership in orgA with role 'super', but orgA has only 'read' role on the object -  'super'  will be trimmed to 'read'... 

but if user also has membership under 'super' in another group which has 'super' against the object too, role_action_set won't be trimmed