Open Closed

Permission management within microservices #786


User avatar
0
Thiqah.Abp created

Hi,

If we have many microservices (or systems) and one centeralized Identity server. As I understand, the permission management module is independent from the identity. The question here is: What is the recommended implementation and what are pros and cons of each one:

  1. Make the persmissions centeralized in the identity server? Or:
  2. Add the permission module to each system?
  3. Or there is a better solution?

in option 1, the Identity server have users, roles and clients but not the permission list. In option 2, each client has it's own permission list buut not users, roles and clients! So, how to manage permissions (UI) in each case.

Thanks Fadi


2 Answer(s)
  • User Avatar
    1
    murat.yuceer created

    I have similar scenario, I have 3 main product (they like isolated microservice groups)

    I want to seperate persmissions module for each product (seprated database), Also i want to seperate groups for each product because of every product admin could be diffirent

    But i want to centeralized Identity server and identity actually just users I have some doubts

    When user login, how it collect permissions from seprated databases

    To solve mess i created some scenarios in my mind

    1. scenario Every product will have own identity module

    But now i have new challenges I will create 4. common identity module and collect all product identity module data here for sync (throw and catch event from products identity) Identity server sign manager will check 4. common identity when user login and for assign permissions and groups If any product do some modification on user, group or permission i have to sync it with 4. main identity module But every product just will see them groups and permissions and users

    1. scenario Every product will have own identity module and own identity server module*, like seprated projects I will create 4. identity module and identity server(let's assume that name is X Account (common account for all products)), its will act like LDAP Every product will have option => sigin in with X Account (like facebook) Now every product user have options to login with local account or X Account X Account provide single sign on for every product but have some challenges Also X Account identity maybe could have groups for determine which user can accsess which product

    But each scenario have some challenges, i dont know maybe more effective logical ways, what is best practies i need advices for that?

    Abp commercial can create example for this real life scenario?

  • User Avatar
    0
    vijay.nallala created

    Please refer same issue - https://github.com/abpframework/abp/issues/12320

Made with ❤️ on ABP v9.1.0-preview. Updated on December 10, 2024, 06:38