Hello, We are studying Cerbos and I have a question - I'm exploring the multi-tenant SaaS demo and I'm probably missing something. We have a multi-tenant solution that manages companies in which a user can be a Project Manager in one company and a Company Administrator in another company. The companies, users and their role mappings are all managed in MySQL database (Python Django based application with DRF). I'm not clear what is the right approach to handle this scenario with Cerbos. AFAIU, the multi-tenant SaaS demo is built with a single role per user and users only exist in a single tenant. What happens if my role is context aware to the specific company I'm currently working in, but I can have multiple roles? can you direct me to the right place in docs or a sample? Thx

Hi, you can absolutely have different roles for a user in different tenants. There are couple of ways to approach this. One way is to filter out the roles for the user at the identity provider level (Django in your case) so that they only have the roles they should have in the context of the tenant they are accessing. That way, the Cerbos policies are just very simple ones that define what each role can do. The other way is to send a map of tenants and the roles the user has for each tenant as a principal attribute. Then you can write derived roles or direct policy rules that make use of that map to make the access decision. Hope that makes sense. We used to have an example of such a setup but I can't find it at the moment because I am on mobile.

Thanks s lot. That makes sense. You wrote "..to send a map of tenants and the roles.." - what is the best practice to accomplish that? Can I write an internal REST API in my application that Cerbos can use as the real-time attribute source? Or it would be best to generate and export attribute map files once in a while?

Your application will have to query/cache the map and send it as a principal attribute with each request. Cerbos is designed to be stateless and have a minimal security surface so it doesn't establish connections to other systems.

thx!