hi all, I'm just getting started with Cerbos. I've...
# help
hi all, I'm just getting started with Cerbos. I've read through the guide on multi-tenancy: https://www.cerbos.dev/blog/implementing-cerbos-in-a-multitenant-system. I probably need to sit down and go through it a bit deeper. I guess my main concern at a high level is I expected to see policy files organized at a tenant level, e.g
, but that guide organized it differently. So at the root level, I expected you may have some basic rules, e.g. user -- tenant rules, but policies are completely tenant specific. And then I assumed via Cerbos Hub, we might allow our clients to self-administer their tenant specific policies. Once again I'm just getting started, but since I don't see a major link in the Cerbos Hub docs on multi-tenancy, I would imagine it does not support what I was envisioning. Some context. I work in the mortgage industry. One of our products is for originating loans. One of the core attributes that affects policy decisions is the loan's status (e.g. is it active, in underwriting, closing, post closing, etc). All of our clients will have different roles depending on their size, e.g. maybe as few as 10 roles and as many as 100). And each client will have completely different configurations for each resource/role combo, e.g. "This resource can be updated only when loan is between active and underwriting statuses, but a senior manager can update it into closing" while other tenants may have different rules. We're launching a new product where I'm trying to utilize cerbos and I'm trying to get a handle on how the configuration will scale when we have N tenants. Any followup article I should take a look at? I think I just need to dive in a bit more to see how to properly organize this. Thanks
Hi, there's no right or wrong way to organize your policies. If grouping them under the tenant is what you want, that's absolutely fine. It's only a stylistic choice if you use a policy repository with a file system such as Git. From your description, I assume that you want to use a dynamic policy store such as a database (or, indeed Cerbos Hub). You don't have to think about the directory structure with dynamic stores at all. Scopes are the unit of organization that affect how policies are evaluated. If you'd like to discuss your use case further, you can book a call at https://www.cerbos.dev/workshop
That was my understanding. And I think because it's so flexible there's no way for Cerbos Hub to support multi-tenancy in a way our clients can self manage their policies. It's not a big deal for us right now. I just wanted to be able to speak intelligently about this when those questions are raised. Thanks!