Segmenting Users with Realms

Realms are containers that hold Users, Orgs, and related data. Each realm’s data is completely separate from any other realm.

Many apps will only have 1 or 2 realms. At the same time, certain types of multi-tenant apps may have dozens or even thousands. Let’s explore some different scenarios.

In the most basic setup, an app will have 1 realm. That single realm will contain all users for the entire app. This is by far the most common setup.

One potential variation on this basic setup is 2 realms. The first realm holds all normal users for the app. The second realm holds administrative users who should have access to manage some kind of backend portal.

This works best when the backend/management portal is distinct from the main app (either as a separate app, or just a separate section of the main app). If administrative users also use the main part of the app, perhaps with elevated access, then a better approach is usually to use a single realm and use the permissions field on Memberships.

Multi-tenant apps

Multi-tenant apps vary widely in their authentication needs. Many multi-tenant apps fit the 1 or 2 realm setups already discussed.

However, some apps need to provide separate authentication credentials for each tenant’s own users. In this case, it is usually appropriate to use a separate realm for each tenant. This provides several advantages:

  • Users for each tenant are isolated, easily kept separate and maintained
  • When a tenant cancels, it’s easy to delete all Users belonging to that tenant
  • The same end user can use services from multiple tenants and properly have separate accounts for each. The end user doesn’t even have to know that each tenant is using the same upstream service provider. (This often makes it easier for your app to be white-labeled.)
  • Makes it easier to prevent permissions or access leakage between tenants and their users

In addition to one realm for each tenant, it may also be appropriate to have 1 or 2 additional realms, for the tenants themselves and/or administrative users, same as the more basic setups described above.

Multiple, separate apps

Multiple realms are also useful if you have multiple, separate apps that all use AuthRocket. Instead of needing to setup separate AuthRocket accounts, you can use a single account with multiple realms. Of course, if you prefer to setup separate AuthRocket accounts, you’re welcome to do so.

Questions? Find a Typo? Get in touch.