Solved

Rights can not be applied because of multiple tenants applied to one application

  • 13 January 2022
  • 7 replies
  • 82 views

Userlevel 3
Badge +7

I upgraded our applications in a single IAM with multiple tenants. There are 2 tenants and one user from one tenant has access to different applications. We achieved this by making a new tenant, create 2 usergroups, for each tenant 1, and then aply the user rights to IAM. Works fine. However, when I try to upgrade these applications I have the following error displayed while trying to applying the roles to the database:

I bypassed the situation by removing the authorisation before applying the roles to the database and recreate the authorisation afterwards.

 

Why is this not possible?

 

(using TW platform 2021.3)

icon

Best answer by Hugo Nienhuis 5 May 2022, 10:45

View original

7 replies

Userlevel 5
Badge +10

Two tenants can have the same group name with different roles. For example:

Tenant A - User group Sales - Roles: Salesrole1, Salesrole2
Tenant B - User group Sales - Roles: Salesrole3, Salesrole4

This conflict will not allow the roles to be applied to the database since the conflicting roles would negate the use of the tenants. So if you want to use multiple tenants and apply the rights to the database make sure the group name is unique within each tenant. 

However, in a multi-tenant environment it’s best to not apply rights to the database and use the pooluser (indicium) instead. 

Userlevel 3
Badge +7

Thanks for your reply. I will check once more and post the results.

Userlevel 5
Badge +10

Did you look into this? If so, is this question resolved?

Userlevel 3
Badge +7

No, I did not have the time yet. I do know that I did not apply user rights to the database. The only thing I did was applying the roles (to the database). But that is something that needs to be done anyway. But I will check once more, soon as I can find some time :-)

 

Userlevel 3
Badge +7

I tested this once more. I created a test user (rdbms) and 2 test_user_groups. Each group has rights on a different application. I applied the user rights on IAM to make this effective. Works fine, the applications show that they are accesible to two different tenants:

 

I followed the following steps:

  1. I created a deployment package and upgraded all applications to version 4.11
  2. I activated the applications (note: I did not apply any rights yet)
  3. I logged in with my testuser (using a webgui) and that works fine, I end up in a fully functional version 4.11
  4. I deactivated the application (note: I stayed logged in with the webgui)
  5. I was still able to work in version 4.11, including making changes to the data.
  6. I logged out and back in: this time it showed the application was unavailable.
  7. I applied the Roles to the database: it showed the error message 'De rechten van deze applicatie kunnen niet toegepast worden omdat er meerdere tenants toegewezen zijn aan deze applicatie.' and I was not able to continue with this.
  8. I applied the user rights to IAM: this worked fine.

So it looks like it is possible to create the situation I would like, but after an upgrade it is impossible to apply roles to the database. I am not sure this is needed. What will happen when I create a new role? I used to think that this new role needs to be applied to the database, but is that really so? I only use the webgui for this application. What happens if i remove the roles entirely from the application database, would it still work?

 

Second thing I noticed: when I deactivate the applications it is still possible for a user to keep working in the application. How can I force users to log out of the application so I can safely do an upgrade?

Userlevel 5
Badge +10

This topic was lost in the fray. Do you still need help on this or did you solve this by now.

Userlevel 3
Badge +7

topic can be closed

Reply