In our earlier blog, we have seen how to set up SSO with any identity system that you may have in your organization. In this blog we will look at how the roles and security model of Superset was leveraged to achieve the multi-tenancy that TurboApps needed.
To recap: TurboApps is the Turbo (Digital) Forms and low code platform that Unvired provides for Inspections, Safety Work Permits, Asset Management and many other use cases. TurboApps is available via a public cloud (SAAS) and can also be deployed either on a private cloud or datacenter for enterprises. The software deployed in all instances is the same and supports multi-tenancy as a standard feature. In order to embed the Superset analytics suite we had to extend the same model to Superset also. This was achieved by leveraging standard roles and security that is available in Superset. Before we understand how that was done, lets look at some concepts on which the model is built.
Read Part 1: Selecting An Analytics Solution For Turbo Forms
Roles: Superset provides users access to Datasets (tables / views which hold the data on which the visualization happens) using Roles. Roles determine the operations that a user can perform and also the datasets that they can see. A user can have multiple roles assigned to them. Superset by default is installed with two roles Gamma (restricted for users) and Alpha (for dashboard designers etc). These roles by default have access to all datasets and does not satisfy the restricted access that we need.
Row Level Security (RLS): Superset provides for additional row level security that allows datasets (assigned via roles) to be filtered by additional conditions. For e.g. lets say that tenants are identified in the table via a column TenantID. The RLS can be assigned to certain roles with the additional condition tenantID = 1 (for e.g.). This ensures that when a user with the role for Tenant 1 logs in, the additional RLS where clause is combined with an AND operator and only data that’s saved for TenantID = 1 is now served. Similarly RLS can be set up for each tenant with different IDs so that data can be partitioned accordingly.
Dashboard Role Based Access Control (RBAC): Superset via a feature flag, supports providing access to specific dashboards to specific roles. This allows TurboApps to have both standard dashboards and in addition provide custom dashboards for tenants that are available only to Administrators or Managers or both.
Now that’s behind us, let’s look at the implemented model for multi-tenancy:
- Turbo Apps primarily has two roles that need access to Superset dashboards viz. Administrators and Managers.
- Customize the Alpha (Admin) and Gamma (Manager) roles so that the minimum access is made available to view and work with dashboards and remove all dataset access.
- Create tenant-specific roles and assign dataset access.
- Create tenant-specific RLS and assign the tenant-specific roles to them.
- Create users via SSO and assign Alpha or Gamma based on role and the additional tenant-specific role.
- Assign access to all standard dashboards (RBAC) to Admins and Managers.
Customize Alpha and Gamma: For TurboApps usage we removed all write access for dashboards (for the public cloud) and additionally removed access to all datasets that these standard roles provide. These Alpha-Restricted and Gamma-Restricted roles were what was assigned to all users. The reason that we need to customize and not modify the standard roles is that whenever Superset is upgraded, the “superset init” command needs to be run. This resets all roles to their default values. The restricted Alpha and Gamma roles thus provide users with the ability to view dashboards, export CSV etc. but do not list the datasets that they need access to.
Tenant-specific roles: The tenant-specific roles (for e.g. Tenant-1-Manager and Tenant-1-Admin) provides access to the required datasets (tables, views, queries) and also has the attached RLS entries. Thus any user of a particular tenant will be able to view only their tenant data and also only those tables/views that they are allowed to. This ensures that all standard dashboards are allowed to be viewed and in addition any custom dashboards built for that tenant (using custom datasets) can also be viewed.
Provision Users: When users are auto-provisioned (check the earlier blog on SSO) they are assigned the Alpha or Gamma roles based on whether they are an Administrator or Manager in the TurboApps system. In addition, they are also assigned the Tenant-1-Admin or Tenant-1-Manager role to provide access to the required datasets.
Custom Dashboards: Custom dashboards can be built for tenants either using standard datasets or additional views or queries. The additional views and/or queries are assigned to the tenant specific role so that only users of that tenant have access to it. Additionally, the dashboards that are designed are also marked as accessible (RBAC) for the Tenant-1-Admin or the Tenant-1-Manager role.
Thus we can leverage Superset’s Roles, Row Level Security (RLS), and Dashboard Role-Based Access (RBAC) to ensure that each tenant can access only their dashboards and view only their data.
In the next blog, we will add a provisioning API that allows us to automate the above.
Frequently Asked Questions
What is a multi-tenancy platform?
A multi-tenancy platform is a software architecture where a single instance of the software serves multiple customers or “tenants.” Each tenant is isolated and has its own data set, users, and configurations but shares the same underlying infrastructure and code base. It allows the platform to be more cost-effective and scalable and share resources among multiple tenants. Multi-tenancy also allows for easy customization and configuration of the software for each tenant without the need for separate installations. Multi-tenancy platforms are popular in the SaaS (software as a service) model, where multiple businesses can use the same software, each with its unique data, settings, and users. It allows for more efficient use of resources and makes it easier for businesses to access and utilize the software.
What are the benefits of multi-tenancy?
The benefits of multi-tenancy in a software platform include Cost-effectiveness: Sharing a single instance of the software among multiple tenants can reduce costs associated with maintaining and scaling the software.
Scalability: A multi-tenancy platform can quickly scale to accommodate more tenants and users without requiring separate installations.
Customization: Each tenant can have its own set of data, users, and configurations, allowing for easy customization of the software to meet the specific needs of each tenant.
Improved security: Multi-tenancy can provide better protection as each tenant’s data is isolated and protected from other tenants.
Ease of access: Multi-tenancy allows for easy access to the software, as tenants can log in to their instance of the software.
Efficient use of resources: Multi-tenancy platform allows for more efficient use of resources to share among multiple tenants.
Higher availability: Multi-tenancy platform allows for higher availability of the software as multiple tenants can access it simultaneously.
How to enable auto user provisioning?
Auto user provisioning is a feature that automatically creates and updates user accounts based on information from an external directory or identity management system. Enable auto-user provisioning with the following steps:
Connect to the external directory or identity management system: This involves setting up a connection to the external system, such as through an API or a connector.
Configure the provisioning settings: This includes setting up the provisioning rules and mapping the external system’s attributes to the corresponding fields in the target system. Test the provisioning: Once configured, test the provisioning process to ensure user accounts are created and updated correctly.
Enable provisioning: After testing, enable the provisioning process to automatically create and update user accounts in the target system.
Monitor and maintain: Set up monitoring and maintenance processes to ensure the provisioning process runs smoothly and make necessary updates or adjustments. Organizations can easily manage and maintain user accounts by enabling auto-user provisioning, reducing the need for manual provisioning and minimizing the risk of errors.