Multi-tenant role-based access control with Aserto

Role-Based Access Control (RBAC) describes the practice of aggregating discrete application permissions into a small set of roles, and assigning those roles to users or groups. Multi-tenant SaaS applications must ensure that these roles are scoped to a particular tenant, or set of tenants.

Aserto provides out-of-the-box support for this scenario. Users or groups can be assigned roles scoped to a single tenant, a set of tenants, or across all tenants. If you support a resource hierarchy under the tenant structure (teams, projects, lists, or folders) you can easily extend your authorization model to cover fine-grained access.

Multi-tenant RBAC

Quickly create real-time role-based access management for your multi-tenant SaaS application.

Scalable RBAC for multitenant SaaS applications

Create permissions within, and across each tenant. Grant access based on custom roles and group information.

Authorize using local user and resource data, within milliseconds and at 100% availability.

Base your policies on your unique domain model to enforce multi-tenant role-based access control that is tailored to your business.

Allow your customers to add custom roles that map to your permissions.

Create policies that control access and influence frontend behavior, like hiding sections or fields.

Use dynamic user attributes and enviormental attributes in your policies

Attribute-Based Access Control (ABAC) refers to the practice of making authorization decisions based on fine-grained attributes. With ABAC you can develop very specific, fine-grained rules that protect your organizational resources.

ABAC policies can be used to make authorization decisions that include user attributes such as department or office, resource attributes such as location, or environmental attributes such as day/time.

Fine-grained access based on user, resource & environmental attributes

ABAC

Attribute-based access control

Grant access based on dynamic attributes.

Fine-grained ABAC for cloud applications

Evolve your policy from RBAC to attribute-based access control to authorize based on user-centric attributes, resource attributes, and environmental attributes.

Attributes about users and resources are synced to the policy decision point in your cloud automatically and in real-time to eliminate the risk of access based on stale data. Enforce policy in milliseconds against the most up-to-date data. 

Influence both frontend behavior and backend logic based on where a user is logged in from, what region the application is running, or the day/time that an operation is invoked.

Centrally manage policies and decision logs to simplify governance and compliance.

Built upon an open, cloud-native foundation, which includes Open Policy Agent (OPA), 

 authorizer, Policy CLI, and many of the ideas in the Google Zanzibar system.

Map your resource graph to Aserto Directory to authorize based on users, resources, and relationships 

Relationship-Based Access Control (ReBAC) is a new take on the Access Control List (ACL) paradigm of cascading access to each resource in a hierarchy, such as directories and files. ReBAC generalizes this model into a relationship graph between subjects and objects via relations. ReBAC models can be traversed as a graph to determine whether a user or group has a certain permission on a resource.

Aserto’s Directory is built around the ReBAC model, and makes it easy to define a custom resource hierarchy that matches your domain model: organizations, teams, projects, lists, folders, and so on. You also define the set of relations - owner, admin, member, viewer - that relate these objects to subjects (users and groups). Aserto makes it easy to implement relationship based access control policies based on your application's unique domain model.

Fine-grained access based on resource relationships

ReBAC

Relationship-based access control

Define and enforce roles and permissions based on relationships between your users and groups and your application's resource hierarchy

Fine-grained relationship-based access control

Define and enforce access control policies based on the relationships subjects have to resources in your system, as well as role and group information.

Control access to every level of your resource hierarchy

Use the best of both worlds, and combine relationship-based rules with user or resource attributes in a single policy.

Combine ReBAC and ABAC rules in a single authorization p

Resources and their relationships are synced to the policy decision point in your cloud automatically and in real-time to eliminate the risk of access based on stale data.

Enforce in milliseconds based on real-time data

Influence frontend behavior as well as backend logic based on the relationship the end user has with the resource in question.

Decouple policy from application code, allowing both security and engineering to move faster. Manage all of your policies and decision logs centrally to simplify governance and compliance.

Aserto is built upon an open, cloud-native foundation, which includes Open Policy Agent (OPA), 

authorizer, Policy CLI, and many of the ideas in the Google Zanzibar system.

Leverage the best of the open cloud native ecosystem

Secure access to your microservices with Aserto

Over the past decade, it has become best practice to break down monoliths into smaller microservices, in order to increase agility, reduce surface area in each component, improve scalability, and enhance reuse.  Each microservice typically runs in its own container or pod, coupled to its own data model, and largely operates independently of the other microservices in the application. 

However, when each microservice is responsible for its own authorization, it becomes difficult to add or change permissions since every service has to adapt to the change. This reduces the agility benefits that the microservices architecture provides in the first place. Aserto enables developers to lift access control logic out of each microservice and manage it centrally, providing a consistent authorization layer across all your microservices.

Real-time authorization for microservices, with centrally managed policies

Microservices

Microservice authorization

Deliver real-time access control for each microservice with a centrally managed authorization system.

Secure access for microservices and APIs

Deliver real-time access control. Locally cached user and resource data in the Aserto sidecar enables access control decisions within milliseconds and at 100% availability.

Every microservice makes decisions in real-time

Every domain model is different; model yours in the Aserto Directory. Permissions are based on a graph of your users, attributes, resources, and relationships between them.

Decouple policy development and feature development. Store, version, build, test, and deploy authorization policy separate from your application code.

Manage policy versions, updates, and rollbacks from a central control plane, across every authorizer instance.

Leverage an open-source tool chain and OPA-based authorizer

Enforce policy in milliseconds against the most up-to-date data 

Control what users can see and do in the context of the application

Evolve your policy beyond simple roles with Aserto

Scalable RBAC for multitenant SaaS applications

Multi-tenant role-based access control

Go beyond simple roles

Enforce in real-time

Model your resource hierarchy

Control more than access

When RBAC isn't enough

Speak to us about your authorization challenges