Multi tenant setup and access control
I am trying out payload cms to use as a backend for my multi tenant saas app.
Users can be part of an organisation and in each organisation they are a member they will have a specific role (owner, admin, member). If a user is not a member in an organisation they won't be able to access the organisation at all. If they are a member of the organisation they will be able to access the organisation, and depending on what role they have they have access to different crud operations within the organisation.
In my current setup I have three collections
- Users
- Organisations
- OrganisationMembers
OrganisationMembers have the following fields
- Relationship field for organisations
- Relationship field for users
- Text field for role
Question
How can I create an access control function on the collection
Organisationsthat only allows users connected to that Organisation within the collection
OrganisationMembersaccess.
I.e. I need to read from another collection to verify if a user have access to update another Collection?
This is a common pattern and should be totally doable. Your relationship needs to be set on the
Userscollection instead of
OrganisationMembersso that
req.usercontains all the data needed in your access control hooks. This also means you could remove your
OrganisationMembersaltogether. Check this out:
{ type: 'array', name: 'access', fields: [ { type: 'select', name: 'name', options: [ { name: 'Read', value: 'read' }, { name: 'Write', value: 'write' }, ] }, { type: 'relationship', relationTo: 'organisations' } ] }For anyone dropping into this thread, we just shipped an official multi-tenant example, check it out!
https://github.com/payloadcms/payload/tree/master/examples/multi-tenant
Not sure if it's relevant to your case - there's a multi-tenancy example in this vid:
https://www.youtube.com/watch?v=DoPLyXG26Dg
Is it possible to somehow switch between the tenants? (Like a global dropdown) - I'd like to maintain 5-6 pages with a single payload instance.
I have created a sites collection and each page has a relation to a site - so that works, but it's a bit cumbersome to filter the content or to see the whole content of all pages at once (images, collections, ...)
Could you log in as a super-admin?
@wiesson I think we could add another field to the user config. i.e. a relationship field
viewAsTenantand then we could adjust access control to take that into account if it is set.
@jacobsfletch not sure if this is something we want to support out of the box? I could give it a go if you think so. I do see the value.
I was thinking that we should add a component in beforeNavLink. This component will be a dropdown that will be selected with the lastLoginTenant and if we change the selection we update the lastLogin tenant.
Moreover we should also add a interval of like 3 minutes where we refetch the last value to be sure that we don’t have any stale data.
If we do that we can improve the access control by only showing every time the data of this tenant.
What do you think ?
@jarrod_not_jared totally as long as it doesn't overcomplicate the example, but I think @Bouba is spot on here we can reuse the existing
lastLoggedInTenantfield. Although I don't think we should add any time interval to this example. I went ahead and took a stab at this just now, check it out!
https://github.com/payloadcms/payload/pull/2719@jacobsfletch How do i setup the dns records for the admin panel? I have pointed my A record to the server IP address, but it isn't working
This is for the client admin page and not for the super-admin admin page
@techinverted Are you on Payload Cloud? If not, a simple A record should work just fine, but if you're using Nginx as a reverse you'd need to also ensure your server blocks are setup properly
Okay, so I’ve used an A record and I’m still getting “404 page not found”, I’ll look into the nginx config
Continue the discussion in Discord
Star
Discord
online
Get help straight from the Payload team with an Enterprise License.