Access Control in Multi-Tenant Applications with Visual Guard

Introduction

"Multi-tenant" and "Software as a service" applications are becoming more and more common. Companies are looking for different ways to manage their IT needs. They expect solutions that can adapt to their internal organizational structure and lower their deployment and maintenance costs. Multi-tenant applications allow just that – low cost and flexible architecture. However, multi-tenant applications also pose unique challenges. In this article, we will look at security administration and user management in a multi-tenant application with Visual Guard.

Background

Multitenancy is a concept where a single copy of an application is running on a server, and is used simultaneously by multiple independent sets of users (tenants), in contrast to multi-instance architecture, where each set of user works with a truly separate instance of the software. The application is therefore designed to partition its data and configuration into "silos", so that each tenant uses a customized and private instance of the application.
For an application sold on a Saas (Software as a Service) model, tenants expect to feel that they each have the advantages of a separate application, but the cost savings of a shared service. However, as with every structure, there are also disadvantages relating to the repartition of the application. For example, clients may be concerned that their data will not be secure with only virtual partitions. Companies planning to offer their products must be able to respond to this type of concern.

User Management

Access control data, including user accounts and administration data, must be kept separate for each tenant. However, this must all happen on one central application. This presents a challenge for access control, as any system integrated in the application must be shared across all clients.

In short, multitenant application access control solutions need to meet two key criteria:

1. Protect Data from Other Tenants
   

   The perceived risk of data disclosure is greater with multi-tenant applications. Users should trust their private data is secure, although they are sharing the application with other organizations.

   A robust Access Control system isolates each tenant's data to provide a suitable level of protection. This system should provide the following features:

   • Defining and Managing tenants (sets of users)
   • Defining and Managing user accounts as members of a tenant
   • Restrict access to data within each tenant
2. Delegate administration privileges

   The owner of the information should have the ability to decide who is able to view and access it. Each client organization should be able to independently customize access rights for each user.

   Therefore, Access Control systems should allow users to:

   • Delegate security administration to local managers within each Client organization
   • Protect data confidentiality: a tenant administrator should not have access to other tenants’ security data
   • Preserve data availability: while data needs to be secure, it also needs to be accessible and available in a timely manner. So do administration features

Making Administration Features Accessible to Each Tenant

It is important to simplify access to the administration features:

• Multi-tenant applications are used over multiple sites. The administration interface should be as easily deployable as the application itself.
• To be able to distribute administration rights in a way that is very flexible, each user should be able to access the administration features, no matter where they are or their technical skill.

By default, the two main solutions are as follows:

1. Custom Access Control System:
   Any system developed for a multi-tenant application needs to be flexible enough to allow each client to customize their security policy and user accounts to their individual security policy. This means that account provisioning should be done by the end client, and your system needs to support this option. It should also be scalable for any number of clients. And it must also be secure, so that no client can access another’s security data. Such a solution is usually very complex, time consuming and costly to build.
2. Visual Guard:
   Visual Guard is an access control system that works with most application architectures. It combines user account management, permissions and audit for one or multiple applications. It allows you to define a user group hierarchy, with each group containing users or other groups. In a multi-tenant application, each client is assigned to a group, and their internal structure is replicated through the creation of sub-groups. The same security system is used for all clients, but each client will have administration rights for their users only.

Click here for more information on Visual Guard

Visual Guard

Visual Guard helps resolve the difficulties in securing a multi-tenant application.

Managing Independent Tenants

	Example 1: a commercial SAAS application might put their « Clients » at the first level in the hierarchy. Each client would then create their own sub-groups to recreate their organizational structure.
Example 2: an administration can define a tenant for each agency that uses their system. If these agencies are part of the administration’s departments or divisions, they can be places at lower levels in the hierarchy.
	Example 3: if an organization needs to manage a mixed population of internal and external users, it can define tenants to manage each set of users independently. Note: in this situation, VG also allows you to combine autentication with Windows accounts (internal users) and username/password accounts (external users). For more information, please see mixed-mode authentication.

Apart from these basic examples, Visual Guard supports multiple other configurations. For example, you can authenticate users with their Windows accounts, whether or not each tenant uses its own Active Directory. In this case, Visual Guard allows you to federate multiple Active Directories that don't belong to the same network. In certain cases, you can also implement Single Sign-On (SSO) based on the user's Windows account.

Read more about Visual Guard and SSO.

Restricting the Administration Rights to a Tenant

In general, Visual Guard allows you to give privileges to an administrator so that they can manage users and give permissions for each application.

Administration privileges can also be limited to a group of users. In this case, the administrator can only see and manage the users in their group.

When working with a multi-tenant application, it is recommended to name at least one administrator per tenant, and to limit their administration rights to that tenant.

However, Visual Guard can do much more: we can limit administration permissions to any level of the group hierarchy. This system offers a great deal of flexibility for the distribution of administration rights in any entities within each tenant.

To go further:

You can combine multiple criteria to limit administration permissions:

• As shown above, you can limit these permissions to certain groups of users
• You can also limit these permissions to certain applications
• You can limit them to certain administration operations (for example, the administrator can create users and give them Roles, but cannot define Roles)

Making Administration Features Accessible to Each Tenant

It is important to simplify access to the administration features:

• Multi-tenant applications are used over multiple sites. The administration interface should be as easily deployable as the application itself.
• To be able to distribute administration rights in a way that is very flexible, each user should be able to access the administration features, no matter where they are or their technical skill.

By default, the two main solutions are as follows:

1. Visual Guard Web Console:
   

   This application allows you to manage users and their groups, roles, permissions, etc?

   • It consists of a web application (ASP.NET), which is accessed by a simple browser
   • It can be deployed with the application and is accessible to the same users
   • It includes an extension mechanism: add custom asp.net pages to the Console to comply with specific security requirements
2. Custom Administration User Interface:

   A custom ASP.NET or WCF/Silverlight administration interface can also be developed

   • It can be deployed as a separate administration console, or integrated into your application
   • They call the Visual Guard APIs to perform all necessary administration operations. These APIs are secured as described above. They allow you to, in particular, manage the tenants and delegate the administration restrictions to each tenant. See more information on the APIs here.

Audit: Centralized or Distributed View and Control?

Similar to the administration rights, it is also possible to both give and limit permissions to see and control the multitenant application security.

Depending on the circumstances, we may wish to either centralize or distribute these permissions.

Example 1: in-house applications used by several entities of a large organization

• By default, this type of application requires centralized control for its security
• The auditor must be able to see all access rights and all sensitive operations performed, regardless of the users, departments or tenants concerned
• Each organization is then free to limit the scope of the auditor to certain sets of users and / or applications

Example 2: SaaS commercial applications used by multiple customers

• The software vendor may offer each client the ability to control security for its users. In this case, the scope of each auditor is limited to a tenant (client).
• The auditor of each tenant can see the access rights of their users. They may also control operations performed by the users and administrators of their tenant
• If necessary, the software vendor can control certain operations performed by their clients. This may be useful in some cases of technical support, for example to understand the history of the application's use and administration

Integrating Visual Guard

Integrating Visual Guard is a simple process. For example, below are the 4 steps to integrate Visual Guard in a .NET application:

1. Adding the Visual Guard runtime to the Visual Studio project of your application.
2. Inserting the code which will identify the user and activate the security.
3. Creating a Visual Guard repository and declaring your application through the administration console.
4. Generating Visual Guard configuration parameters. These parameters will be stored in 2 configuration files: VisualGuardConfiguration.config and VisualGuardConfiguration.exe.config.

These steps are just an example for a .NET application, as Visual Guard can be integrated into any application that can make HTTP requests.

Conclusion

Multi-tenant applications pose distinct challenges for the security of client data. A solution like Visual Guard allows you to use a single access control system for your multi-tenant application, while ensuring the privacy of client data.

Further Reading?

• Find out more about how Visual Guard secures applications for any internal organization structure, including multi-tenant applications