ToDo
- Jim Wilson to document what tests may be impacted by this project and report to Accedia
- Jim Wilson to update this requirements document based on discussions in the 2022-11-22 status meeting.
Team
OAGi
Primary contact: Jim Wilson, Jim.Wilson@OAGi.org, +1 816-516-8847
Secondary contact: Michael Figura, MFigura@OAGi.org, +1 404-395-8267
NIST
Score project manager: Serm Kulvatunyou, Serm@NIST.gov
Score lead dev: Oh, Hakju (IntlCtr), Hakju.Oh@NIST.gov
Accedia
Account manager and PM: Aleksandar Todorov (Deactivated), aleksandar.todorov@accedia.com
Primary dev: Stefani Paunova (Deactivated), stefani.paunova@accedia.com
Tech consultant: Georgi Yolovski (Deactivated), georgi.yolovski@accedia.com
Resources (access todo)
Resource name | URL | Notes | |||
|---|---|---|---|---|---|
This wiki page and child pages |
|
|
| ||
GitHub: Score code |
|
| |||
GitHub: Score documentation |
|
|
| ||
GitHub: Score test cases |
|
| |||
Slack |
|
|
|
| |
Auth0 admin | Georgi Yolovski (Deactivated) to configure | N/A |
| ||
Code contribution guidelines |
|
| |||
Issue management notes (GitHub issues) |
|
| |||
Issue management content | |||||
Test development and execution |
| ||||
Docker Hub |
| N/A |
|
Terminology notes
It is debatable whether
multi-tenantis appropriate to describe this feature, but the name has stuck, so we’re using it.roleis a critical feature of authorization in this requirements document. In this requirements document, we will use role-related terms as follows:Score role: One of the built-in Score roles (Admin + Developer, Admin + End User, Developer, and End User)Auth0 role: A role defined in Auth0 (this is not relevant for Phase 1 design)tenant: An Auth0 role defined for the purposes of enabling the requirements expressed in the document.role: The meaning could be any of the above depending on the context in which it is used. Jim Wilson recommends avoiding use ofrolein favor of one of the three terms above.
access BIEsrefers to creating, editing, viewing, and expressing BIEs (anything with BIEs)BC: an abbreviation for Business ContextDev/Admin: a user in the Admin+Developer Score roleuser's tenancy: refers to association of a user to tenants, or more specifically, the association of a user to a valid value specified for the Tenant context schemeTenant context scheme: The context scheme specified in Score with the nameTenant
Background
OAGi needs:
to enable multiple sets of users to use one Score instance
to be able to limit access to BIEs created by one set of users to members of that set, and other select sets as appropriate
Key points informing the design
Accedia note
While all of these things are true, there is nothing for Accedia to do in response. It is up to OAGi to ensure that the design supports these points. That said, it may be helpful for Accedia to understand our intent (some points) and things that are true about Score’s functionality today (the other points).
Keep the implementation simple until such time that simple won’t work.
The following BIE-development roles/purposes must be supported
OAGi develops BIEs for the public (e.g., SME Express Pack)
OAGi develops BIEs for members only (none yet)
Companies develop BIEs for their company only
Companies develop BIEs for their industry (e.g., MilliporeSigma for the Biopharma industry)
Industry associations or consortiums develop BIEs for their industry (e.g., AgGateway)
Except for 2.c., there is little/no risk for a company’s confidential information to be publicly disclosed.
In the case of 2.c. for company whose BIE design or documentation is highly sensitive, OAGi will advise them to use an on-prem instance.
Each BIE is associated with one or more business contexts.
Each user must be in one of the Score roles.
Phase 1 Design
Multi-tenant Score design
Phase 1 of Multi-tenant Score will use the current built-in capability for authentication, and for authorization of Score roles. Accedia will develop further authorization functionality based on a user’s tenancy.
Score 2.5 and later will be released with:
A context category named
TenantA context scheme named
Tenant(based on the context categoryTenant)
No user (not even Dev/Admin) may delete or rename the
Tenantcontext scheme (Accedia will need to implement restrictions.)No user (not even Dev/Admin) may delete or rename the
Tenantcontext category. (Accedia will need to implement restrictions.)Only Dev/Admin may manage values in the
Tenantcategory scheme. (Accedia will need to implement restrictions.)Dev/Admin may manage all business contexts, whether or not the user is associated with any tenant. (This is supported today, but Accedia will need to ensure that other restrictions it implements do not inadvertently restrict this.)
Only Dev/Admin may add or delete a
Tenantcontext scheme value to a BC that has BIEs associated with it. (Accedia will need to implement restrictions.)Why? This should prevent two undesirable situations:
a user assigning a
Tenantcontext scheme value to a BC that does not have one assigned, thereby restricting access to that BIEa user assigning another
Tenantcontext scheme value to a BC that already has aTenantcontext scheme value associated with it, thus potentially unintentionally enabling access to many users
When creating a BC, users may only use
Tenantcontext scheme values matching the user's tenancy. (Accedia will need to implement restrictions.)Only a user with the appropriate tenancy may manage a business context containing a
Tenantcontext scheme value. (Accedia will need to implement restrictions.)Users may be associated with zero or more tenants where the possible tenants are those specified as valid values for the
Tenantcontext scheme. (Accedia will need to develop new functionality, including database changes/additions that store data about the associations.)A user may only access BIEs:
associated with at least one business contexts that has as least one
Tenantcontext scheme value matching the user’s tenancy.associated with business contexts that do not include a
Tenantcontext scheme value.
Another way to think about #11 is that if any context associated with a BIE has a Tenant context scheme value, then access to that BIE is determined by the user’s tenancy (except for Dev/Admin). Otherwise anyone can access the BIE.
Logical process for determining whether a BIE is accessible
Is the user Dev/Admin?
Yes → The BIE is accessible
No → Is the BIE associated with a business context containing a
Tenantcontext scheme value?No → The BIE is accessible
Yes → Is the BIE associated with a business context containing a
Tenantcontext scheme value associated with the user’s tenancy?Yes → The BIE is accessible
No → The BIE is not accessible
Concrete example
Score roles
While these are used in the example, they are the built-in roles.
Admin + Developer
Admin + End User
Developer
End User
Tenants
AgGateway
ACME Brick
HR Open Standards
Business contexts
Human Resources, which includes a
Tenantcontext scheme value =HR Open StandardsAgriculture, which includes a
Tenantcontext scheme value =AgGatewayConstruction, which includes a
Tenantcontext scheme value =ACME BrickEntertainment, which does not include any
Tenantcontext scheme value
Users
Bob
Mary
Amy
Roy
Matt
Tess
Ross
BIEs - Business Contexts
Business Context→ BIE↓ | Human Resources | Agriculture | Construction | Entertainment | Notes |
|---|---|---|---|---|---|
ProcessPurchaseOrder (instance #1) |
| ||||
ProcessPurchaseOrder (instance #2) |
| ||||
NotifyShipment (instance #1) |
|
| |||
NotifyWIPStatus (instance #1) |
| ||||
NotifyWIPStatus (instance #2) |
|
Users - Roles
Tenant/Score role→ User↓ | HR Open Standards | ACME Brick | AgGateway | End User | Developer | Admin+Developer | Notes |
|---|---|---|---|---|---|---|---|
Bob |
| ||||||
Mary |
|
| |||||
Amy |
| ||||||
Roy |
|
| |||||
Matt |
| ||||||
Tess |
| ||||||
Ross |
|
|
|
Business Contexts - Roles
Tenant/Score role→ Business Context↓ | HR Open Standards | ACME Brick | AgGateway | End User | Developer | Admin+Developer | Notes |
|---|---|---|---|---|---|---|---|
Human Resources |
| ||||||
Agriculture |
| ||||||
Construction |
| ||||||
Entertainment |
BIE Visibility to Users
This table would be computed based on the values in the tables above.
User→ BIE↓ | Bob | Mary | Amy | Roy | Matt | Tess | Ross | Notes |
|---|---|---|---|---|---|---|---|---|
ProcessPurchaseOrder (instance #1) |
|
|
| |||||
ProcessPurchaseOrder (instance #2) |
|
|
| |||||
NotifyShipment (instance #1) |
|
|
|
| ||||
NotifyWIPStatus (instance #1) |
|
|
| |||||
NotifyWIPStatus (instance #2) |
|
|
|
Mary can access all BIEs because she is a Dev/Admin. Dev/Admins can access everything.
Matt can only access:
BIEs in a business context that include the
Tenantcontext scheme valueACME Brick, which is theConstructionbusiness context.BIEs in a business context that does not include any
Tenantcontext scheme value
Tess can only access BIEs in a business context associated with the AgGateway tenant.
BIEs in a business context that include the
Tenantcontext scheme valueAgGateway, which is theAgriculturebusiness context.BIEs in a business context that does not include any
Tenantcontext scheme value
Ross can only access BIEs
BIEs in a business context that include the
Tenantcontext scheme valueACME Brick, which is theConstructionbusiness context.BIEs in a business context that include the
Tenantcontext scheme valueAgGateway, which is theAgriculturebusiness context.BIEs in a business context that does not include any
Tenantcontext scheme value.
Implementation
Accedia manages this section.
Update database structure
We plan to start the multi-tenancy implementation with the following DB changes:
Replace the organization column in the app_user table with a foreign key to a new table, called organization, that will be used for the tenants
Create a mapping table between organizations and business contexts (many-to-many) that will keep track of each tenant’s access to BIEs in a certain business context
Phase 2 Design (in progress)
Identity Provider
OAGi has an Auth0 account and has been using it for #E authentication and authorization. Following are a couple of screen captures that illustrate how it can be configured to support Score multi-tenant.
