I’m assuming you mean multi-tenant
No, I’m talking multi-account which is not the same as multi-tenant.
Take for example AWS or DO (or any of the plenty SaaS platforms).
It’s very common that you can have 1 user that can have access to multiple accounts and different privileges per account.
How would you pass the
bigSite down to RBAC to the permission code?
What if you need to check permissions for more than 1 user? Realm was set for first user, not set for next user so prev. realm assumed. Sounds like a lot of prone-to-error cases. And considering it’s around permissions, they’re pretty critical. Imagine giving access to proprietary content to the wrong user.
Having a unique identifier that represents the combination of user-account is foolproof. Serialising-deserialising (string<->object) an identifier is far safer and would prefer to sacrifice performance over such delicate matters.
It’s pretty much a choice between KISS (string) or improved performance/debugging (object). I still find the Object approach more suitable but I understand that the added complexity might hurt the adoption rate of the framework.