Software And Architecture

Introduction Policies are a fine grained model of applying security restrictions on the various entities in the business application.  Can I achieve fine grained access only with Policies? The answer is NO. There are ways where we can model the same with the entity level permissions like feature. So what is so special about policies. Policies are typically a agreed upon JSON format that can be used to be built by the user and tie up with any entity or specific record in the entity. Since this is a JSON, it is easy to define and contain wildcards, regex matches etc which kind of becomes difficult to manage in other formats. Design The below diagram illustrates how the policies can be created and enforced in an application. As shown above, the Administrator is responsible to create the policies and bind them with the entities. Enforcement of the policies are done as part of the entity service, which passes on the request for access to a policy manager. The policy manager talks to the dat

The need Q: Why do we need the option to allow tenant's to create their own roles? A: So that they can correlate their business roles with the SaaS application roles rather than try to create a mental map of what business role maps to which application role Q: It seems quite useful, but how much of an effort is this? A: Though it seems to be a little more work, it is quite simple. This post will walk through how to build and use this model. Database Design In the database (which ever multi-tenancy level is chosen), we need a table which we can call it as Roles. This table normally contains the following attributes Roles (id, name, description, createdby, createdon, updatedby, updatedon, status/isActive)  This table allows all the roles to be at the global level. There will be another table called as Tenant Role which map the roles against the tenant's TenantRoles(id, tenantId, roleId, mappedby, mappedon, updatedby, updatedon, status/isActive) In this table, we are mapping the r

There exists a notion that in order to achieve the better security, we should opt for the physical isolation of databases This is not true in reality, we can design using the right patterns so that we can still have the single table which have all the tenant information and still use the row level security pattern to restrict the data access by the tenant. However, this has to be done for a MVP and based on the various parameters, this design is to be revisited and incase of having a tenant that has a very huge volume of data, in that case, we can migrate the tenant data to a separate database. The migration of the data might be taking more time, so there should be a suitable connector that is built so that the tenant filter is applied during the data migration in the appropriate value. The approach of having a single database is not applicable when there are GDPR or other HIPPAA compliances to be enforced.

Why a Vault? The reason for having a vault is to have the secrets for the application stored in a very "safe" / "secure" location so that only trusted clients of the Vault (Web Apps / Services etc ) can get access to the secrets. When we do not use a vault, the dev team will check-in the secrets like Database Credentials, AWS credentials etc to the source control, which leaves it open to be accessible to anyone that gets access to source code. There are a lot of Vaults out there in AWS, Azure etc, but this system is opensource and we have full control of the installation and security, which piqued my interest and hence I started exploration. Dangers of exposing Secrets In the hands of wrong person, it could be disastrous, especially if the secret has more privileges, more the depth of the damage Developers might get to try out changes with these credentials. In recent years, a colleague of mine forgot to append the where clause in the production

User Authentication in Multi-Tenant SaaS Apps Introduction We will cover few scenarios that we can follow to perform the user authentication in a Multi-Tenant SaaS application. Scenario 1 - Global Users Authentication with Tenancy and Tenant forwarding In this scheme, we have the SaaS Provider Authentication gateway that takes care of Authentication of the users by performing the following steps Tenant Identification User Authentication User Authorization Forwarding the user to the tenant application / tenant pages in the SaaS App This demands that the SaaS provider authentication gateway be a scalable microservice that can take care of the load across all tenants. The database partitioning (horizontal or other means) is left upto the SaaS provider Service. Scenario 2 - Global Tenant Identification and User Authentication forwarding   In the above scenario, the tenant identification happens on part of the SaaS provider Tenant Identification gateway. Post which, the

Prepared a consolidated list of points for a Business Analyst team to prepare for the requirements gathering for any application or product development. Read more from the below link https://docs.google.com/presentation/d/1gXepQWK8qy8waqEX7HauVBgdQ9GSpxzuReuv015joeQ/edit?usp=drive_web

A Short Note on SaaS [Software As A Service]. IMHO, I am building upon a short post on SAAS, this is not exhaustive, but I encourage the readers to share their valuable comments to improve this post. SaaS is an abbreviation of Software As A Service.AKA Software on Demand, where the vendors develop, host and operate on the software and make it available on the internet for its consumers / customers. SaaS is the most mature category of cloud service, since it evolved from the application-service-provider model of software hosting. With SaaS, software applications are rented from a provider as opposed to purchased for enterprise installation and deployment. SaaS is the most mature category of cloud service, since it evolved from the application-service-provider model of software hosting. With SaaS, software applications are rented from a provider as opposed to purchased for enterprise installation and deployment. Users Can range from small group to multitude SaaS Considerat