CMDBuild Multi tenancy

david.rodriguez · April 1, 2014, 9:16pm

Hi all,

I am trying to evaluate CMDBuild for a scenario that we have, and during this process, we have the need for a multi tenancy solution.

E.g every "customer" needs to have their own data...since each customer maintains their own CMDB data.

I have looked through the docs, and demos and done some research with google, to see if anyone else here has had a similar issue.

In our Scenario however the core setup and config is all the same for all, and should be controlled from one instance (or from a superadmin)

Some requirements of this is:
- Customer should not be able to access data for another entity

- Customer will need admin access so they can work with classes, cards, and db scripts

- Customer will connect to third party apps (Zabbix, or similar) that will update only their data
- Customer will use LDAP for access
- Customer will have x Users that will work in CMDBuild
- Customer will need to feel that this is "their" application

In a typical multi tenancy environment there is ONE application instance, and "tenants" or customers/entities can be configured by a superadmin.. either with a separate db for each, or true data separation (harder to enforce).

In our scenario, the different Customers (entities) also interact with each other, and thus might cause dependencies between CI objects, between the different data stacks.

So.. my question.. :)

Do we have to have a SEPARATE Application instance for each Entity in order to configure are separate DB for each ?
or is there a simpler way to do so..
(Scenario has today 20+ Entities.. though small in size)

REASONING

We are also thinking of implementing Alfresco in the scenario.

And in the CMDBuild settings, there is only a general setting for the application to connect to one specific Alfresco Site (dedicated to CMDB), and there does not look to be any option for multi tenancy.

Anyone who has ideas? or have done a customization for this that works?

Many thanks for any feedback

/David

tecnoteca · April 5, 2014, 4:09pm

Since version 2.1 we introduced in CMDBuild the ability to define permissions on groups of rows in a class, by defining filters on the attributes of the class.
If you add in all the classes an attribute "Tenant", this can partially solve your first requirement.

But, since the user 'admin' has all permissions on all the data, the second requirement is not manageable at this time in CMDBuild.
So the only solution is to create different CMDBuild instances for each customer.
Instead, you can use a single Tomcat instance and a single Postgres instance.
Regarding Alfresco, CMDBuild not allow you to navigate on its own data but only to associate documents to a data card, so it could also be used as a single instance.
CMDBuild Team

david.hubbard · April 26, 2014, 11:59am

David,

Just an idea for your investigation...

Postgres Plus Advanced (from EnterpriseDB) [not free] includes the "Oracle-like" Virtual Private Database feature, which *may* suit your requirement.

http://www.enterprisedb.com/docs/en/9.1/oracompat/Postgres_Plus_Advanced_Server_Oracle_Compatibility_Guide-106.htm

The documentation indicates that policies can only be applied to Tables and not Views (or Synonyms) - and I note that CMDBuild uses Views (defined in 06_system_views_base.sql and 09_system_views_extras.sql) but I have not looked at Alfresco no real experience with Postgres at this level to know if these would be covered - they appear to simply be performing selects on tables which would be covered.

Regards

David

david.rodriguez · May 3, 2014, 7:47am

Thanks all for your answers..

it does not help me thought in my issue..

so..

my conclusion on this is to solve it like this:

- I will create a "master instance" of CMDBuild, e.g superTenant/superAdmin

- I will in the same application server, spawn this instance once for every tenant I want to use (e.g customer) to give the CMDBuild functions to

- Each will have its own DB in the same Postgres db server.

- This allows best control, since each customer can access the application with "admin" permissions.. and even access "their" database to do anything they need to do.

- I will setup some sync schema´s to sync some basic classes between the superTenant DB and the customer´s DB.

In alfresco, I found that I can use multi tenancy, and separate the repositories, so that I can configure each CMDBuild instance to access ONE specific Alfresco site.. and since in my scenario above, I can specify the actual alfresco site for each CMDB config, I can force it to use different repositories and thus separating the data completely within Alfresco.

This works well also with GEOServer integration, as the CMDBuild is connecting to the GEOServer based on workspace, and that can then be separated from eachother.

However.. now the issue is that I want to use Alfresco 4.x... since it has some major changes from the last 3.x, but.. it looks like CMDBuild has not updated the DMS code to support the 4.x..

I found some old posts from 2012 where the CMDBuild team stated that this would be fixed in the next release.. and, I guess it has not been prioritized, as there has been several releases since then, and this has still not been resolved.

Anyone has a clue as to how to solve it for now ?
I will either need to demote Alfresco to support CMDBuild, or try to update the CMDBuild´s DMS code..
But, since there is no clear indication on when this issue will be resolved.. I need to prioritize this based on the same information.

Lastly...

I would like to come into contact with anyone who are using CMDBuild in cloud environment for their customers, specifically for larger/distributed solutions, for some knowledge sharing.

has anyone packaged the CMDB as a SaaS ?

Thanks