Trying to think of a model for a multitenant setup. Think SaaS, which has orgs, and each org has one or more users. Each org owns its data.
What I am having difficulty with is the permissions setup. It seems like there is a very low limit (25) of principals that objects can be shared with. So that means only a max of 25 groups we could share it with?
What are the scalable approaches for multitenancy?
We have a multi-tenant application where we embed QuickSight dashboards. In general, the orgs in our application all have access to the same dashboards but we use row-level security to ensure they can only see their data.
Do you need a different group for each org because they need access to different dashboards?
There are several approaches:
- Separate Account
- Separate Region
- Namespace - Click here
- Shared Folder - Click here
- Group - Click here
- RLS/CLS by User or Tag - Click here
You can create up to 10,000 groups in a namespace. If you want to create more than 10,000 groups in a namespace, contact AWS Support
Thank you for your list of documentation references @drpeter!
I think all of these, with the exception of tags, suffer from the same problem that I mention earlier:
An asset (e.g. dashboard) can be shared with a maximum of 64 principles (users or groups).
See: AWS::QuickSight::Dashboard - AWS CloudFormation
And using tagging approach requires a different kind of subscription, which can be cost-prohibitive.
Any idea on how to overcome the principle limits?