from Hacker News

Ask HN: How would you design an enterprise (B2B) user permissioning system?

by yuningalexliu on 8/7/18, 1:30 AM with 3 comments

It seems that most enterprise applications I've worked with have very different approaches, and I'm wondering if there are best practice/time-tested architectures or resources. Thank you!

  • by ilkhan4 on 8/7/18, 2:09 AM

    Authentication or authorization? If it's the latter, I'd model it on what AD/LDAP do: folders/OUs for hierarchy, groups for crossing hierarchy boundaries, then users and securables as objects in the directory. Then on top of that, be able to assign permissions such that node (OU/group/user) -> can-do-action -> other node. Then child nodes inherit permissions as well. We're using something similar in a system I worked on and sys admins and end users are pretty comfortable with it since it used the same paradigms they're used to. You can also use the same thing for multi-tenancy by just creating OUs for tenants.

    For authentication, whatever supports ADFS, SAML and/or OIDC. It's a big plus when they can use existing credentials or SSO into your system from theirs.

  • by BjoernKW on 8/8/18, 6:34 PM

    Most of what you describe probably can be attributed to the fact that there used to be (and still are to some extent) quite a few competing identity server software providers.

    The enterprise world tends to move more slowly than the rest of the world (or at least it often seems that way), which is why older systems and practices frequently are still in use.

    If available I'd make use of existing Active Directory / LDAP systems (as ilkhan4 has already pointed out) for authorization.

    For authentication Kerberos (often used in conjunction with Active Directory / LDAP) is an elegant way for implementing single sign-on (SSO) because it allows the user to simply authenticate with her normal user account in the local OS. Afterwards, the user's automatically logged in to every application on the local network that uses Kerberos for authentication (basically, by sharing a token).

    Other than that, the usual best practices apply (such as not storing plaintext passwords). Depending on your architecture, techniques common outside of the enterprise world like transferring information via JSON Web Tokens are useful, too.

  • by megamindbrian2 on 8/7/18, 1:56 AM

    Something to do with Posgres row-level-security as an ACL would be amazing. Otherwise Identity Server is a good foto for in house, and AWS AMI for serverless.