Does anyone have any schema's, data models, or suggestions for creating a user / roles management system that accounts for multi-tenancy. For example, a user in organization A, may be assigned a role to a certain project, to a certain application, in organization B. Any ideas? I've been reading up on RBAC, just looking for a good example.

Thanks

Does this work for you?

How to build a data model for an access control list (ACL)

Brief information about RBAC: Role based access control system is a method for restricting access to 'some sources or applications or some features of applications' based on the roles of users of organization.

Here, restrictions can be by means of multiple permissions, those are created by administrator users to restrict access, and these permissions collectively represents a role, which will be assigned to user.

And if we go slight deeper in RBAC, it basically contains 3 features.

1) Authentication - It confirms the user's identity. Usually it is done via user accounts and passwords or credentials.

2) Authorization - It defines what user can do and cannot do in an application. Ex. ‘Modifying order’ is allowed but ‘creating new order’ is not allowed.

3) Auditing of user actions on applications. - It keeps track of user's actions on applications, as well as who has granted which access to which users?This was very basic top view picture of RBAC system.

For multi-tenancy applications, I would recommend 'managing groups and users' with roles and permissions.

Let us take an example.

There are multiple clients (tenants) for the application:

Client A – has – 100 users [Tenant A]
Client B – has – 50 users [Tenant B]
Client C – has – 100 users [Tenant C]

So, the scenario would be something like, each client and users of this client should be allowed to access specific features of the application only, and administrator of these clients should be able to manage their users only.

So, to handle this, we can

1. Define and manage groups (tenants)
2. Define and manage users or accounts as members of group (tenant)
3. Restrict access for each tenant in application via roles or permissions
4. Delegate security administration to local users within each Client or organization
   Something like shown below.

Groups Hierarchy:

Where group ‘Client A’ and its descendent groups will be containing users for ‘Client A’, and similarly for other clients or organizations.

Accordingly users will be assigned to appropriate groups, and roles will be assigned to particular groups.

You may check this article – which shows how to deal with multi-tenant applications for users and roles management via ready to use framework provided by VisualGuard where I work.

http://www.visual-guard.com/EN/net-powerbuilder-application-security-authentication-permission-access-control-rbac/secure-saas-and-multi-tenant-apps-with-asp-net-or-wcf-Silverlight.php

Have you looked at Rhino security? It might not do exactly what you want, but Ayende does a pretty good job of walking you through the security model & the development process of same, could give you a good starting point.

You are in .NET but for us in the PHP world, the Zend Framework provides a lighweight access control framework that enables you to build your own ACL implementation which can enable you to understand the concepts and build your own in .NET at http://framework.zend.com/manual/en/zend.acl.introduction.html.

I can provide a MYSQL workbench file with an implementation that we are currently using if you need additional assistance