tags:

views:

143

answers:

2
+1  Q: 

In Multi-Tenant Data Architecture, what is the best way to implement tenant filter view?

I am implementing a SaaS application using ASP.Net MVC 2 and SQL Server database. I am using Shared Tenancy approach.

To filter data, so far I have found 2 approaches.

Option 1: http://msdn.microsoft.com/en-us/library/aa479086.aspx#mlttntda_tvf

Using sql login per tenant. Thus, using SUSER_SID() as a filter in the views

Option 2: http://blogs.imeta.co.uk/jyoung/archive/2010/03/22/845.aspx

Storing tenant id in the Context_Info. Thus, using a sql function that reads tenant id from the Context_Info as a filter in the views.

Can you please help me pick the appropriate option?

Thanks Thanks

+4  A: 

I think this comes down to a battle of security models. A DBA may insist you do the former. I, being more pragmatic, would likely pass the tenant ID into my SPs or queries from the application layer.

I would back this up with a whole lot of unit tests that ensure one tenant can never see another tenants data, and I would only store the current tenant on the server in session or simmilar, never in a cookie or in URLs, or anywhere else that can be hacked on the client.

This makes it much easier to add new tenants, as there is no DB config required.

Of course, sessions can be hacked, so you need to take all precautions to ensure that however you store tenant ID on the server, it is immune from spoofs, etc.

RedFilter  2010-08-11 16:19:27
I'm with you on this one: option 1 isn't very flexible because it's based on the assumption that each user will exist at the domain level. Option 2 lets you have users who exist only as rows in some User table. This lets you fill the user table by syncing with the AD of that tenant's domain.
Steven Sudit  2010-08-11 16:37:15
The option to store tenant Id in session was not in my radar, so can you please elaborate on how to implement it?I am going to map tenant site URL to a tenant id.In which tier, do you set the tenant id session? Would you store it in application cache? Thanks
AlterWorld  2010-08-11 16:47:08
I am thinking of this as a standard web site: user logs in, you then grab their tenant ID and redirect to that tenants home page. Although it is fine to use tenant ID in URL, you need to confirm user is *allowed* to access that tenanID on each request, and a simple way to do that is keep the tenantID in session (`Session["TenantID"] = user.TenantID`) so that you don't have to query the DB for the user's profile on each request. I would probably put code in my base Controller class that confirms that the user is allowed to access the TenantID in the querystring; if not, it redirects.
RedFilter  2010-08-11 16:58:32
Thanks for the response, I will use tenant id in session.
AlterWorld  2010-08-11 17:52:22
A: 

I would add that inline table-valued functions can also be useful in building any isolation layers.

Cade Roux  2010-08-11 17:29:50

related questions

Sql to query a dbs scheme
Transform Columns into Rows
SQL Client for Mac OS X that works with MS SQL Server
How do you get leading wildcard full-text searches to work in SQL Server?
SQL Server 2000: Is there a way to tell when a record was last modified?
What's the BEST way to remove the time portion of a datetime value (SQL Server)
I need to know how much disk space a table is using in SQL Server
What's the best way to determine if a temporary table exists in SQL Server?
Appropriate pagefile size for SQL Server
Have you ever encountered a query that SQL Server could not execute because it referenced too many tables?
ASP.NET MVC "CRUD" Database Sample
How do I unit test persistence?
Best Book for a new Database Developer
Can I logically reorder columns in a table?
Best way to copy a database in SQL Server 2005/8?
Is Windows Server 2008 "Server Core" appropriate for a SQL Server instance?
Why doesn't SQL Full Text Indexing return results for words containing #?
Client collation and SQL Server 2005
Editing database records by multiple users
Deploying SQL Server Databases from Test to Live
SQL Server 2005 implementation of MySQL REPLACE INTO?
Upgrading SQL Server 6.5
How do I version my MS SQL database in SVN?
How to export data from SQL Server 2005 to MySQL
Check for changes to a SQL table?