Shared entities between platform tenants

[akoenig]

Permify is awesome and it looks like it fits our needs completely. Thanks for building it 🚀

We encountered one question though. We understood that the multi-tenancy functionality of Permify is more built into a direction where you could manage multiple different applications authorization schemes (think microservices) in one authorization service which is Permify.

We're building one platform with multiple tenants which share the same permissions. Each tenant controls own entities, but there are also entities that are shared between the tenants. Now, we have the scenario in which the platform provider needs to be able to perform use cases she / he is only allowed to perform (e.g. deleting entities that are shared between the tenants).

entity user {}

entity tenant {}

entity entity_owned_by_tenant {
  relation editor @user
}

entity entity_owned_by_all_tenants {
    relation manager @user
    relation editor @user
    relation viewer @user

    action add_employee = manager
    action delete = ???
}

How would you model such an authorization structure? Any pointer into the right direction is highly appreciated 🙂

[EgeAytin]

Hi @akoenig, thanks for sharing your use case and thanks for kind words. First of all if some entities shared between multiple tenants separating the schemas for all of the tenant and define the shared entities for all of them can be another alternative. Because multi-tenancy in Permify isolates the tenants schemas and authorization rules from other tenants.

About the question, what is "platform provider" exactly and how its relationships with tenants or entities?