Design and Implementation of a Simple SaaS Multi‑Tenant Data Scope Permission System

In B2B systems, beyond basic access control, data‑scope permissions are often required; this article introduces a simple, easy‑to‑implement SaaS multi‑tenant data‑scope permission system design and implementation.

Permission Overview

Permissions consist of functional permissions (what modules/pages a user can see after logging in) and data permissions (which records a user can view within a module).

Implemented with Spring Boot + MyBatis Plus + Vue & Element, the backend management system supports RBAC dynamic permissions, multi‑tenant, data permissions, workflow, third‑party login, payment, SMS, and e‑commerce features. Project: https://github.com/YunaiV/ruoyi-vue-pro Video tutorial: https://doc.iocoder.cn/video/

Functional Permissions

Using the RBAC (Role‑Based Access Control) model, roles are collections of functions that are assigned to users, simplifying permission management.

Why Use RBAC

When many users share the same set of functions, grouping those functions into roles reduces repetitive assignment and lowers error rates.

RBAC also decouples users from individual functions, making permission maintenance easier.

Permission Granularity

Granularity can be module‑level → page‑level → interface‑level; finer granularity offers flexibility but may increase complexity for users.

User Priority

Typical priority order: view details > view list > add/delete/edit/other actions.

Implemented with Spring Cloud Alibaba + Gateway + Nacos + RocketMQ + Vue & Element, the system supports RBAC, multi‑tenant, data permissions, workflow, third‑party login, payment, SMS, and e‑commerce. Project: https://github.com/YunaiV/yudao-cloud Video tutorial: https://doc.iocoder.cn/video/

Data Permissions

Data permissions control how many records and which records a user can see, often tied to the organization’s hierarchy.

Relation to Organization Structure

Data permissions are closely linked to the organization’s tree or flat structure; tree structures require careful handling of hierarchical data sharing.

Data Permission Operation Steps

Concept

Data permission control is achieved through department‑based menu presentation.

Places Where Data Permissions Apply

User creation – department dropdown selection.

... (illustrative images omitted) ...

Department List Data Permission in Management

Controller Layer – Load All Departments

... (illustrative images omitted) ...

Service Layer – Filter Departments by Current User

... (illustrative images omitted) ...

CommonDataService – Retrieve All Department IDs for User

Method getCurrUserDataDeptIds() returns the list of department IDs the current user belongs to.

... (illustrative images omitted) ...

Data Permission in User Add Dialog

The same department list API is used as described in section 2.3.

Data Permission in Role Management Add Dialog

The same department list API is used as described in section 2.3.

Operation Example

Assign a user to a specific department under a role.

As a super admin, assign additional department data permissions to a role.

Login as the user to verify the effective data scope.

Feel free to share your own solutions for data‑scope permission design and implementation.