Can a single user have multiple DataKeys?

[michaelswells]

Most of my applications have a type of hierarchy (see below) where a user can be assigned multiple roles at different levels within the hierarchy.

I know that claims can have multiple values for Roles. Can this library deal with multiple DataKey claims without the user creating a login for each assigned role or making them choose?

For example:
Role one (set of permissions on program1 and below)
Role one (set of permissions on program2 and below)
Role two (different set of permissions on program1 - contract1 - packages2)
Role three (different set of permissions on program1 - contract1 - package2 - Library1)
...

Let me clarify what I mean.

This is the hierarchy [pattern] that keeps showing up. 
The actual names of the areas below contract can be different.
A user can be assigned to 

root                                 Assign: SuperUser (All things allowed)
\- area                              This would be the Tenant Name. Assign: Viewer on all things
    \- programs                      Assign: User can be assigned to multiple programs (separate permission: all or view below)
        \- contracts                 Assign: User can be assigned to multiple contracts on same and/or different programs (separate permission: all or view below)
           \- data items             Assign: User can be assigned to multiple data items on same and/or different contracts (separate permission: all or view below)
            |   \- packages 
            |      \- library
            \- packages 
            |   \- library
            |- subcontracts           Note: a subcontract is a contract with a reference to different contract (parent_id is not null)
                \- data items               and same tree as a contract. S subcontract cannot have a subcontract.
                |   \- packages 
                |      \- library
                \- packages 
                    \- library

FYI.
Note: The user can see all thing assigned to them.

I am also considering that when the user wants to edit an object where multiple roles can do something, they would need to select one of the allowable edit modes, i.e., button: Edit as RoleOne, Edit as RoleThree, etc.

Edit: strike though items referencing ** and below**.

[JonPSmith]

Hi @michaelswells,

The simple answer to the issue title "Can a single user have multiple DataKeys?" is no, a user can't have multiple DataKeys. However, the issue detail makes me think that you might be talking about a different issues.

In the AuthP library:

• A DataKey defines a tenant's database part where the information is stored - see Multi-tenant explained for more info.
• AuthP's Roles define what features in the application - see this article for more info.

Your use of of the word "Role" and the hierarchy pattern sounds that its not a DataKey you need, but AuthP's Roles. The AuthP Roles are different to the normal ASP.NET Core roles, because AuthP Roles aren't directly applied to your code via a Authorize, e.g. [Authorize(Roles = "Staff,Manager")], but they hold many AuthP's Permissions (see Permissions explained docs). This means you can have very detailed control of what parts of your application a user can access, so the AuthP Roles/Permissions approach may work for you.

You also talk about a hierarchy of access. I did implement a Permissions hierarchy for a client, but it turned out so complex it was difficult to understand and use. Therefore I removed the Permissions hierarchy to make it simpler, but that doesn't you can't implement a hierarchy - you just have to create Roles for each level, e.g. a Role called data items | packages | library has all the Permissions in the area you want to a user to access.

A user may have many Roles, but the Permissions in all the user's Roles are combined (+ distinct) and turned into astring for the user, where every character in the string holds the value of the Permissions enum. This means its very efficient and fast.

I hope my comments help.

[malovicg]

Hi John,

first I want to thank you for the energy you spent trying to simplify a very complex task. I just watched one of your videos on this subject, and decided to give a better look at the library - and here I am reading the discussions first :-).

When I read the question "Can a single user have multiple DataKeys?", I understood it as something I also need to have in my current project - Can the same user have access to 2+ tenants data (different databases)?

I am developing a hybrid multi-tenant system with shared login. That means that user accounts are shared between the tenants, if needed. This would allow that some users (ex consultants), would be able to be assigned to multiple tenants.

When I said user accounts are shared between the tenants, that does not mean that a tenant can see all users. It just means that, when adding a new user to tenant, if this user already exists (registered with some other tenant), then there will be no need to register accound (password, email address confirmation, etc ), it will just be assigned to this tenant. A tenant can only see users and their data that are registered / assigned to it, not from all users.

From identity / tenant data storage perspective, it would look something like this:

Identity.db

• Users: contains all users from all tenants
• Tenants: contains all registered tenants (this would be a hierarchical tenant, as you called it).
• UsersTenants: many-to-many Users / Tenants - result of assigning / removing user to / from tenant
• Roles / Permissions are assigned per for User / Tenant combination

Result: ConsultantA has different permissions for TenantA and TenantB, and uses the same account to login in.

Is this scenario supported?

Thanks again,
Goran

[JonPSmith]

Hi @malovicg,

As I said in the first question a user can't have multiple DataKeys, but are you aware of the AuthP's feature that allows admin users to access tenant data? This allows an user that isn't a tenant user to temporarily link to a tenant's data. I added this because of my experiences with a multi-tenant application I was asked to built for a client. Here are some links about this feature:

• One of my articles which talks about why this feature is useful for customer support.
• Documentation on this feature which shows to how to set up this feature and what it can do.

I'm not sure if this feature will solve all your requirements, but it gives you the ability pick any tenant data. Obvious you will need some extra code to make it work the way you want it to, but might help you to implement what you need.

I hope that helps.