How to approach cross tenant users?

I am working on a multi-tenant domain based saas project and want to be able to have cross-tenant users

I am using the pattern “tenant-discriminator-in-shared-tables”, i.e. I have a tenant ID for all resources, however users to tenants is many to many

I am looking for guidance on good approaches

Should I have a join table such as user_tenant and manage that when an existing user registers and uses a new tenant?

Any suggestions about modifying exist logins based on phx.auth.gen?


Have you checked out the Ecto “how-to” guides on multi-tenancy?

thanks @arcanemachine I have now, I actually have the tenant pattern in place except for users

I am stuck on the best approach to making cross tenant users

if user1 is member of tenant1
then user1 joins tenant2

should I use a many to many user_tenants join table?

how to modify the phx.gen.auth generated controllers to manage this?

Presumably if you have tenants and users you also have roles within tenants too, regular users vs tenant admins?

You might consider a TenantRole so that your join table tennant_roles associates users with tenants and their role in that tenant.

I have generally found using schemas a safer approach to tenant isolation and often a security requirement for many organisations because they don’t want their data being caught up in Anton Piller orders (Impoundment orders in the USA).

However if you have use cases where there is sharing of resources across tenants aside from just the users and tenants tables then you end up having to put those tables to the public schema, e.g. you might have projects where users outside an org tenant can be invoted as team members or a jobs board where service providers can bid on the work.

1 Like