tags:

views:

37

answers:

1
+2  Q: 

How to implement Tenant View Filter security pattern in a shared database using ASP.NET MVC2 and MS SQL Server

I am starting to build a SaaS line of business application in ASP.NET MVC2 but before I start I want to establish good architecture foundation.

I am going towards a shared database and shared schema approach because the data architecture and business logic will be quite simple and efficiency along with cost effectiveness are key issues.

To ensure good isolation of data between tenants I would like to implement the Tenant View Filter security pattern (take a look here). In order to do that my application has to impersonate different tenants (DB logins) based on the user that is logging in to the application. The login process needs to be as simple as possible (it's not going to be enterprise class software) - so a customer should only input their user name and password.

Users will access their data through their own sub-domain (using Subdomain routing) like http://tenant1.myapp.com or http://tenant2.myapp.com

What is the best way to meet this scenario?

A: 

The easiest way is to have a Tenants table which contains a URL field that you match up for all queries coming through.

If a tenant can have multiple URL's, then just have an additional table like TenantAlias which maintains the multiple urls for each tenant.

Cache this table web side as it will be hit a lot; invalidate the cache whenever a value changes.

You can look at DotNetNuke. It is an open source CMS that implements this exact model. I'm using the model in a couple of our apps at it works well.

BTW, for EVERY entity in your system you'll need to have a tenantid column acquired for the above table.

Chris Lively  2010-09-17 19:47:45
I'm going to take a look at the way they implemented it in DNN, thanks. Well basically what you're saying is exactly what I wanted to do but I also wanted the app to impersonate as different DB users based on that URL. I don't think I'll go with this approach now. I found another good way to implement this without the need to impersonate: http://blogs.imeta.co.uk/jyoung/archive/2010/03/22/845.aspx
brainnovative  2010-09-24 07:55:20
That's a good info link. It does require that the db user be tied to your tenants table, but I think that may be a preferable way to do things. An interesting advantage with jyoung's idea is that you can encrypt the data with user specific certificates... I'm going to have to do some research. Thanks for the link
Chris Lively  2010-09-24 13:48:51

related questions

SQL CREATE LOGON - can't use @parameter as username
Should we go open-source?
How should I provide a hosted service on Google App Engine
How to build LDAP integration for my web app?
Which billing provider can I use for my SAAS applications?
What are the best practices in building multi-tenancy applications?
How can multiple webapps in the same tomcat instance share database connection pool?
Off-the-shelf Web-based Service Management Software
Rebranding a GPL'd app as SaaS
Multi-tenancy with SQL/WCF/Silverlight
Are there any good online IDEs?
SaaS-company structure
Which Business Model: SaaS (Software as a Service) or Desktop ?
Account based lookup in ASP.NET
Is your employer comfortable with a hosted bug tracking solution, or it has to be inhouse?
Efficient Filtering / Searching
Hosted subversion recommendations or suggestions
What is the best way to measure and cap bandwidth usage in a LAMP SaaS Web application?
SAAS per seat authentication
How would you approach, in .NET, allowing the tenants of a multi-tenant SaaS app to arbitrarily add properties to the entities of the model?
Do in-line ads indicate a SaaS product's monetization strategy is flawed?
Version control "in the clouds"
Best Way to Manage Configuration Data
Multi tenant architecture and NHibernate
SaaS database design - Multiple Databases? Split?