Working together with Rights profiles, sub applications allow for separating data access in a multi-tenant environment.
To use it, you need to install M5737 and potentially additional components like M9531.
Sub applications can be used for two cases, which are related:
- To be able to select the current Sub Application through a shortcut in the top bar of the application, and to switch easily
- To be able to use the Sub Application in rights profiles.
Multi-tenant environments
A multi-tenant environment means that more than one legal entity are sharing one application. With Novulo applications, this is typically used in application where different businesses in a cooperative business form or franchise set-up share their IT infrastructure and services, and thereby their Novulo application.
In these cases it is relevant to separate data access on some data tables (e.g. finance), but share data in other tables (e.g. products).
Novulo Rights profiles allow for creating profiles to define functional access. With sub applications, you are able to distinguish access based on the entity that data belongs to.
Novulo Sub Applications are the core to divide data access (read and/or write) depending on the organization or department that is the data owner.
Within one entity with departments
The set-up of sub applications can be used to specify access among entities (organizations). However, it can also be used to provide distinct access depending on the Department, within the organization.
Purpose of sub applications
The purpose of the sub applications is to provide a comprehensive, high-performance set-up that allows you to effectively apply Database Rights to restrict read and/or write access to specific records, based on the tenant.
Examples of multi-tenant scenario’s
Typical basic examples for multi-tentant scneario’s include:
- Users may only see Invoices that are sent from their Organization
- Users may see all Sales, but only edit Sales that are made from their Organization
More complex scenarios include:
- Users may see all Sales from their organization, but only edit Sales that are made from their Department
- Users may see Invoices sent from two Organizations where they are responsible for;
Technically speaking, purely using database rights, these scenarios can be achieved using Database rights. However, it requires relatively complicated configuration which also gives a performance penalty.
The sub application component and plug-in contains a serie of non-functional aspects to improve performance and simplify configuration.
Using sub applications in database rights
As soon as a record type is made available for Sub Applications, it can be used in Database model rights.
The Sub application that is the data owner of a record, is stored in a specific column: _subapp.
When the application has M5737 installed, and it finds a Record type with a _subapp column, this unlocks functionality with the conditional database rights.
