Ash multitenancy and authorization when global? is true

Hello,

I am learning Ash for a new project. I am defining the multitenancy configuration, and I have a question about authorization.

From the docs:

If you want to enable running queries without a tenant as well as queries with a tenant, the global? option supports this. You will likely need to incorporate this ability into any authorization rules though, to ensure that users from one tenant can’t access other tenant’s data.

Can an authorization rule be created so only actors with the attribute is_superuser=true can get all the data? I miss an example of this.

What do you think is the best option?

  1. Having one action with the proper authorization rules to be able to query with and without tenant
  2. Create two read actions, one for retrieving all data (global? true) and another to use only with the tenant?

Thanks!

Yep! You would do this with a custom simple check.

defmodule MissingTenant do
  use Ash.Policy.SimpleCheck

  def match?(_, %{subject: subject}, _) do
    {:ok, is_nil(subject.tenant)}
  end
end

Then you can use this in your policies. With the introduction of policy groups, I’d suggest doing something along these lines:

policy_group action(:read) do
  policy MissingTenant do
    authorize_if actor_attribute_equals(:role, :admin)
  end

  policy always() do
    general rules ....
  end
end

It’s important to fully read the policies guides to understand how they work. All policies that apply to a request must pass, and policies fail if no check sets their status to authorized.

1 Like

There is unfortunately no right or wrong answer here. They are both viable options. more and more specific actions can often simplify your application and authorization code. For reading, however, I often have fewer more flexible actions.

For your case, I’d suggest starting with the one read action that can have a tenant set or not, with policies ensuring only admins do that, and going from there :slight_smile:

1 Like

Thanks a lot @zachdaniel !

I am struggling with the docs. I didn’t know SimpleCheck could be used as a condition, and I couldn’t find anything like that in the docs.

After navigating some time over all the documentation, I saw that the arguments of match? are: actor, context and opts. But I didn’t know that subject is in the context, and I didn’t find it on the docs either. I don’t even know what subject is.

I understand your example, but I couldn’t have figured it out myself.

That is the main problem I have using Ash with as a beginner.

I see on the SimpleCheck docs that says:

A type of check that operates only on request context, never on the data

But I don’t understand why this is important, and I think having a reference to checks that operate on the data would be helpful.

Ash is awesome! But starting to use it is not that easy, in my opinion.

This is not criticism of the docs, but just my experience with them, so maybe it can help somehow.

Thanks again; I’m very excited to learn Ash!

We understand the issue and are working on it :smile:

1 Like

The authorizer context is documented here: Ash.Policy.Authorizer — ash v3.4.47

1 Like