Access control is a crucial aspect of multi-tenant software as a service (SaaS) applications. Developers of SaaS applications must be able to manage permissions, fine-grained authorization, and isolation. In this article, we will demonstrate how Amazon Verified Permissions can be used for access control in a multi-tenant document management SaaS application using a per-tenant policy store approach. We will also discuss the enforcement of tenant boundaries.
There are several access control needs that are typically seen in multi-tenant SaaS applications. Firstly, application developers need to define policies that apply across all tenants. Secondly, tenant users need to have control over who can access their resources. Lastly, tenant admins need to be able to manage all resources for their respective tenants.
Additionally, independent software vendors (ISVs) implement tenant isolation to prevent one tenant from accessing the resources of another tenant. Enforcing tenant boundaries is crucial for SaaS businesses and is a foundational topic for SaaS providers.
Amazon Verified Permissions is a scalable service that facilitates fine-grained permissions management and authorization. It allows you to build and modernize applications without needing to implement authorization logic within your application code. Verified Permissions utilizes the Cedar language to define policies. A Cedar policy states which principals are either permitted or forbidden from performing actions on a resource. The collection of policies defines the authorization rules for your application. These policies are stored in a policy store, which serves as a container for policies and templates.
Prior to Verified Permissions, authorization logic had to be implemented within the application code. With Verified Permissions, this burden is alleviated, and we will now illustrate how it achieves this in a sample document management SaaS application.
The document management SaaS application allows users to add, share, access, and manage documents. It requires the following access controls:
– Application developers need to define policies that apply across all tenants.
– Tenant users need to control who can access their documents.
– Tenant admins need to manage all documents for a tenant.
The architecture of the application consists of two possible approaches to multi-tenant design in Verified Permissions: a single shared policy store approach and a per-tenant policy store approach. In this case, we have chosen to utilize the per-tenant policy store approach due to its benefits, such as low-effort tenant policies isolation, the ability to customize templates and schema per tenant, low-effort tenant off-boarding, and per-tenant policy store resource quotas. However, this approach does come with some trade-offs, such as high effort to implement global policies management and medium effort to implement the authorization flow.
The article provides a detailed architectural overview of the application, focusing on permissions management. It describes various use cases, such as defining policies that apply across all tenants, preventing tenants from editing policies of other tenants, adding documents, sharing documents with other users of the same tenant, accessing shared documents, and managing all documents for a tenant.
In conclusion, this article demonstrates how Amazon Verified Permissions can be used to implement fine-grained authorization decisions in a multi-tenant SaaS application. The per-tenant policy store approach is explained, along with the different use cases and architectural considerations. Developers can refer to the Verified Permissions user guide for guidance on choosing between using a per-tenant policy store or a shared policy store. To learn more, readers are directed to visit the Amazon Verified Permissions documentation and workshop.
