How to achieve multi-tenancy architecture using RMS and web studio
Article ID: KB0074925
Updated On:
| Products | Versions |
|---|---|
| TIBCO BusinessEvents Enterprise Edition | 5.x |
Description
Requirement is to achieve folder level access for Web Studio users for a project structure like below :-
eg:
MainProject:
Client A:
Concepts
Events
Rules
DT
Rule functions
Client B:
Concepts
Events
Rules
DT
Rule functions
Client C:
DBConcepts
Concepts
Events
Rules
DT
Rule functions
When client A logs into Web Studio they should only see and have access to below folders:
MainProject:
ClientA:
Concepts
Events
Rules
DT
Rule functions
eg:
MainProject:
Client A:
Concepts
Events
Rules
DT
Rule functions
Client B:
Concepts
Events
Rules
DT
Rule functions
Client C:
DBConcepts
Concepts
Events
Rules
DT
Rule functions
When client A logs into Web Studio they should only see and have access to below folders:
MainProject:
ClientA:
Concepts
Events
Rules
DT
Rule functions
Issue/Introduction
How to achieve multi-tenancy architecture using RMS and web studio
Environment
All
Resolution
Even though we do not recommend this way of structuring the project and if the separation is at this scale is needed then these should ideally be different projects with project libraries and each project governed via separate roles. It is not possible to have a top level folder and then manage projects under it. However if something smaller needs to be managed, e.g. below is the project organization :-
Project 1
Rules
Folder1Rules
Folder2Rules
Folder3Rules
with User1 associated to Role1 and User2 associated to Role2.
So the ACL can have something like this,
<resource id="RU" type="RULE"/> - This is a generic resource entry for all rules.
<resource id="ROLE1_RU" name="/Rules/Folder1Rules/*" type="RULE"/> - For Role1
<resource id="ROLE2_RU" name="/Rules/Folder1Rules/*" type="RULE"/> - For Role2
Now in the permission part, below should cover allowing all generic rules. It will go in the role entry for both roles.
===============================
<permission resourceref="#RU">
<action type="read">ALLOW</action>
</permission>
===============================
And below should be added to role entry for "Role1", this will deny access to all Rules meant for Role2,
===============================
<permission resourceref="#ROLE2_RU">
<action type="read">DENY</action>
</permission>
===============================
Similarly below should be added to the role entry for "Role2" to avoid access to all Role1 rules.
===============================
<permission resourceref="#ROLE1_RU">
<action type="read">DENY</action>
</permission>
===============================
Same logic can be applied to any entity type.
Project 1
Rules
Folder1Rules
Folder2Rules
Folder3Rules
with User1 associated to Role1 and User2 associated to Role2.
So the ACL can have something like this,
<resource id="RU" type="RULE"/> - This is a generic resource entry for all rules.
<resource id="ROLE1_RU" name="/Rules/Folder1Rules/*" type="RULE"/> - For Role1
<resource id="ROLE2_RU" name="/Rules/Folder1Rules/*" type="RULE"/> - For Role2
Now in the permission part, below should cover allowing all generic rules. It will go in the role entry for both roles.
===============================
<permission resourceref="#RU">
<action type="read">ALLOW</action>
</permission>
===============================
And below should be added to role entry for "Role1", this will deny access to all Rules meant for Role2,
===============================
<permission resourceref="#ROLE2_RU">
<action type="read">DENY</action>
</permission>
===============================
Similarly below should be added to the role entry for "Role2" to avoid access to all Role1 rules.
===============================
<permission resourceref="#ROLE1_RU">
<action type="read">DENY</action>
</permission>
===============================
Same logic can be applied to any entity type.
Additional Information
N/A
Feedback
Yes
No
Powered by
