Multi-tenant authorizers

This article helps you understand the concept of multi-tenant authorizers. It helps to understand their usecases. It describes how multi-tenant authorizers work.

Multi-tenant authorizers in a nutshell

Multi-tenant authorizer is an authorizer in the system tenant that can be used to protect multi-tenant APIs. You can create multiple authorizers that use different types of API gateways.

System diagram

[mermaid-begin]
flowchart LR id1["Tenants (policies, policy-to-system-api bindings)"] id2["System tenant (services, APIs)"] id3[System tenant authorizer] id4[Authorizer's Gateway] id5[Proxy] id6[Workload] subgraph ACP id1 id2 end subgraph API id5 id6 end id2 <-- "- Service & API discovery - Policies synchronization" --> id3 id4 -- API request --> id5 id5 -. Authorization request .-> id3 id3 -- API discovery --> id6 id5 -- Authorized API request --> id6

Multi-tenant authorizers in depth

The solution for multiple-tenant authorizers consists of the following steps:

  1. An authorizer is created in the system tenant.

  2. The authorizer is deployed.

  3. The services and APIs are synchronized only to the system tenant.

After the services and APIs are synchronized to the system tenant, the administrators of the client application tenant can create authorization policies and bind them to the system APIs. System services and APIs are read-only, so it is not possible for those administrators to change the services and APIs.

When an authorizer performs API enforcement, it fetches the configuration from ACP, like available services, APIs, and their policies, for the specific tenant. It other words, there are two types of policies available. Those configured on the system tenant level, and those configured for a particular tenant.