i have an app with multiple tenants on GAE.
over the 'master' (which is a tenant on its own) i let people register and create a subapp/tenant where the creator is the owner of the app.
what is the best way to manage the user accounts?
lets say USER_A creates APP_A and USER_B creates APP_B. so there are 2 users and 2 apps where each user is owner to the app it created and does not have access to the other users app. now USER_B wants to give access to the other user on his app.
what is the best way to model this situation.
should i store members in a completely separate namespace and validate the users session by switching constantly between namespaces?
i think the best place to keep what permissions a specific user has on an app is on the actual app tenant rather than the USER object.
any tips or best practices?
thank you
If 'user identity' can span tenants (your apps), then keep user entities in a common namespace (the default namespace works fine for that, and that's the default when a request begins). Anything specific to a tenant (e.g., what authorization a user identity has for a specific tenant) can be stored where it is most convenient. I find that putting it in the tenant's namespace simplifies queries that would otherwise have to specify that or filter it out.