Jump to content
  • 0

Multi-Company: Are user registrations shared or completey separate?


blestatester

Question

Hi, I have been testing a multi-company setup with Blesta 4.1.1 and I thought that user registrations were unique and separate from one company to the other.

However:

  • I had a user, who is already registered with Company #1, try to make a purchase with Company #2
  • They were unable to register a new account with Company #2 using the same email address that they used with Company #1 --> "The username has already been taken"
  • BUT, they also couldn't use their login credentials from Company #1, at Company #2 --> "No match found for that user/password combination"
  • Trying the "Reset Password" option on Company #2, using the Company #1 credentials  --> "A confirmation email has been sent to the address on record", BUT no such email is actually sent (according to the Blesta logs  +  they didn't receive any reset email; they receive all other system emails just fine)

Note:  They were using email address as Username (does this cause the above?  i.e., is it just the Usernames are shared/used as an index, or is the entire User Registration information?)

Are the user registrations actually separate per company or not?

Thanks in advance

Link to comment
Share on other sites

Recommended Posts

  • 0
19 minutes ago, blestatester said:

@BlestaStore, thanks for your response.

Aside from the primary admin account, is an individual account valid (i.e., can authenticate) in both companies?

 

 

Users are unique per company, and a user cannot currently exist in multiple companies. This is something we may add in the future. (User logs in, then sees a "Choose your Company Screen", or auto select company based on hostname with ability to switch companies, similar to staff) You could make a feature request: https://requests.blesta.com

At the moment, a client can exist in multiple companies, but they would need a different user for each.

Link to comment
Share on other sites

  • 0
7 minutes ago, Paul said:

Users are unique per company, and a user cannot currently exist in multiple companies. This is something we may add in the future. (User logs in, then sees a "Choose your Company Screen", or auto select company based on hostname with ability to switch companies, similar to staff) You could make a feature request: https://requests.blesta.com

At the moment, a client can exist in multiple companies, but they would need a different user for each.

Hi Paul, thanks for your response.

I will have to create a feature request when I get a chance.

Is there a way to force registering users to only use Username instead of email address (i.e., not giving them that option)?

Link to comment
Share on other sites

  • 0
2 minutes ago, blestatester said:

Hi Paul, thanks for your response.

I will have to create a feature request when I get a chance.

Is there a way to force registering users to only use Username instead of email address (i.e., not giving them that option)?

You would have to modify the order templates to disable the email option in the HTML, or use Javascript to hide it. Usually people want to force the email option and hide the username option. /plugins/order/views/templates/

Link to comment
Share on other sites

  • 0
40 minutes ago, Paul said:

Users are unique per company, and a user cannot currently exist in multiple companies. This is something we may add in the future. (User logs in, then sees a "Choose your Company Screen", or auto select company based on hostname with ability to switch companies, similar to staff) You could make a feature request: https://requests.blesta.com

At the moment, a client can exist in multiple companies, but they would need a different user for each.

just my opinion, for me it has no sense to have restriction in usernames in multiple companies, if i'm user of company 1 with username "blesta" or "paul<atttt>blesta.com", and i want to purchase from another company i will make my habitual usernames "blesta" or "paul<attttt>blesta.com", seeing this already used is something that make me confused.

i'm as a user company A is not company B . and it has no sense for me if in my account in company A seeing or i'm impacted by something else in Company B.

i'm as CEO or owner i don't need to reveal that i have 2 or 3 companies has the same database or they are related.

normally and logical company A is not Company B, and blesta should take care of some issues like those, or the multi-company has no sense or no advantage at all .

Edited by Paul
spambots email addy farming
Link to comment
Share on other sites

  • 0
1 minute ago, Blesta Addons said:

just my opinion, for me it has no sense to have restriction in usernames in multiple companies, if i'm user of company 1 with username "blesta" or "paul<atttt>blesta.com", and i want to purchase from another company i will make my habitual usernames "blesta" or "paul<attttt>blesta.com", seeing this already used is something that make me confused.

i'm as a user company A is not company B . and it has no sense for me if in my account in company A seeing or i'm impacted by something else in Company B.

i'm as CEO or owner i don't need to reveal that i have 2 or 3 companies has the same database or they are related.

normally and logical company A is not Company B, and blesta should take care of some issues like those, or the multi-company has no sense or no advantage at all .

There are potential security implications of allowing the same username to be used multiple times, but I understand what you're saying. You could create a feature request for this, and we could investigate to see how big of a deal it would be to change this and make usernames company unique, meaning that you could have the same username in a different company and it be a unique account.. though that would probably conflict with the feature of having a single user have access to multiple companies with the same login.

Link to comment
Share on other sites

  • 0
5 minutes ago, Paul said:

There are potential security implications of allowing the same username to be used multiple times, but I understand what you're saying. You could create a feature request for this, and we could investigate to see how big of a deal it would be to change this and make usernames company unique, meaning that you could have the same username in a different company and it be a unique account.. though that would probably conflict with the feature of having a single user have access to multiple companies with the same login.

limiting the username in 1 company is reasonable, but limiting in in multiple companies is not reasonable, the behavior can be change as i think, and when make the validation should be related to the company not the whole system .

i have not used the multi-company fro some issue i have fronted in the past, like the themes and the users ids and the usernames and others i can't remember them now, so i have opted for other license . i will not open any feature request as i think what is opened now is more priority that that one :)

Link to comment
Share on other sites

  • 0
19 minutes ago, Blesta Addons said:

just my opinion, for me it has no sense to have restriction in usernames in multiple companies, if i'm user of company 1 with username "blesta" or "paul<atttt>blesta.com", and i want to purchase from another company i will make my habitual usernames "blesta" or "paul<attttt>blesta.com", seeing this already used is something that make me confused.

i'm as a user company A is not company B . and it has no sense for me if in my account in company A seeing or i'm impacted by something else in Company B.

i'm as CEO or owner i don't need to reveal that i have 2 or 3 companies has the same database or they are related.

normally and logical company A is not Company B, and blesta should take care of some issues like those, or the multi-company has no sense or no advantage at all .

This.  Exactly.

I thought that the registration databases would have been "separate but unequal" (i.e., not the same). 

This is causing me to take a step back after learning this.

Link to comment
Share on other sites

  • 0
36 minutes ago, Paul said:

There are potential security implications of allowing the same username to be used multiple times, but I understand what you're saying. You could create a feature request for this, and we could investigate to see how big of a deal it would be to change this and make usernames company unique, meaning that you could have the same username in a different company and it be a unique account.. though that would probably conflict with the feature of having a single user have access to multiple companies with the same login.

Paul, believe me I know the security implications more than you can imagine.

I've worked with a number of "multi-tenant" setups (particularly Drupal) and also, more recently, WordPress.

I was hoping that your implementation would have been similar to Drupal's:

  • Separate databases (i.e., with completely separate tables, user registrations, etc)
  • One codebase (which you have) -- so that upgrading once, upgrades many
  • This also means that if you want to do a high-availability setup, each company database would have be replicated separately

Given that it is not this approach (with individual database), this likely has some other far-reaching implications ... i.e., PCI.  :-(

The current implementation:

  • Shares a database (and in particular, usernames)
  • Could potentially expose data elements from multiple companies in a single attack


The "right" way (from a security perspective) to do a multi-tenant setup ... is with completely separate databases. 
(Though admittedly, true security purists would frown upon any shared anything.  We all realize that some compromises have to be made with this type of setup).

 

I am not criticizing, I am merely summarizing what I have literally learned today in this thread.  Your corrections to my understanding are certainly welcome.

Thanks

Link to comment
Share on other sites

  • 0
38 minutes ago, blestatester said:

Separate databases (i.e., with completely separate tables, user registrations, etc)

That would make the database massive though and confusing to browse? I haven't had any issues with multi-company people just have one username for one and another for the other. 
 

Link to comment
Share on other sites

  • 0
10 hours ago, BlestaStore said:

That would make the database massive though and confusing to browse? I haven't had any issues with multi-company people just have one username for one and another for the other. 
 

Disagree.  It would make multiple databases each of similar size (because they contain all of the necessary tables necessary to run Blesta).  So, maybe more storage requirement overall. 

In summary:

  1. It possibly requires more storage because each database would require any required elements that Blesta needs upon creation of a new company
    • Databases would only be "massive" if you had "massive" amounts of data associated with a particular company.
  2. It would in fact make the databases easier to browse because each database would only contain data associated with the specific company it represents
  3. It is better from a security perspective as well
    • All data, including user registrations. would be separated -- with separate database credentials to even open the database
    • It would also be irrelevant what username/email address someone wants to use if they had business with each company -- they could use the same or different if they wanted to
    • In fact, you could have completely independent ADMIN user for each site
  4. It would potentially reduce customer confusion for those who use multi-company that may have customers in common
    • This particular case became a problem for me because of customer confusion when they tried to make a purchase from the 2nd/unrelated company and they couldn't register with their preferred username (their email address) which should be uniquely theirs
    • So, the question then asked of me was "how did someone else register in your secure system with my email address??"
    • I had to then figure out what was going on ... and here we are
  5. This would make Blesta be true "multi-tenant" and not just "multi-site"
    • Reference: (rudimentary explanation of WordPress multi-tenancy vs multi-site, add http  : //) 
      • torbjornzetterlund.com/multi-tenant-wordpress-enterprise/
    • Reference: (explanation of Drupal multi-tenancy vs numerous other options, add http : //)
      • drupal.stackexchange.com/questions/78328/does-drupal-support-multitenancy
    • This could be an additional selling point and differentiator for Blesta vs competitors

I am not trying to imply that this would be trivial for the Blesta team to code -- I understand and appreciate the complexities and prioritization needed here.

But, it is a better solution for the long-run.

And, for me, this is a of a show-stopper with what I thought multi-company could do, and what I had hoped to use it for.

Thanks

Link to comment
Share on other sites

  • 0
18 hours ago, blestatester said:

Paul, believe me I know the security implications more than you can imagine.

I've worked with a number of "multi-tenant" setups (particularly Drupal) and also, more recently, WordPress.

I was hoping that your implementation would have been similar to Drupal's:

  • Separate databases (i.e., with completely separate tables, user registrations, etc)
  • One codebase (which you have) -- so that upgrading once, upgrades many
  • This also means that if you want to do a high-availability setup, each company database would have be replicated separately

Given that it is not this approach (with individual database), this likely has some other far-reaching implications ... i.e., PCI.  :-(

The current implementation:

  • Shares a database (and in particular, usernames)
  • Could potentially expose data elements from multiple companies in a single attack


The "right" way (from a security perspective) to do a multi-tenant setup ... is with completely separate databases. 
(Though admittedly, true security purists would frown upon any shared anything.  We all realize that some compromises have to be made with this type of setup).

 

I am not criticizing, I am merely summarizing what I have literally learned today in this thread.  Your corrections to my understanding are certainly welcome.

Thanks

You make a very good case for just having a separate license & separate installation. If PCI is a concern between companies, they should have separate code bases as well. If the server was compromised, the attacker would have the details they need to get into either database. Multi-company with multiple databases is not something we plan to implement, in fact, it would introduce a host of other issues.

We understand that for some, a separate installation is preferable to a multi-company installation, and that's ok.

Link to comment
Share on other sites

  • 0

regarding the OP question.

for me at least, the multi-company provided now in blesta is enough, i can only request some more flexibility around the separation of companies. one database is the goal for this multi-company system announced .

if we talk about multi-tenant we are talking about another level of software design and architect . for me multi-tenant in blesta equal a separate installation.

i can make blesta multi-tanant with 1 condition i get the full open source of file that include the config file, maybe it app_model.php, then you can hook the files to include a custom config file based on the hostname :)

Link to comment
Share on other sites

  • 0

Hello,

Does someone know if is there any progress on this issue? I am starting working with Blesta for my new projects and thinking in multi-company (for every brand) but I find it a problem.

As some said there are users that would like to use 1 email address (or username) for their services. And more important for me, it doesn't look clear from a customer perspective to know they can't use their own email address when buying a service because is used in another diferent service, doesn't make sense (in my opinion :D).

I really think it needs to have unique email/username limited to every company (or brand), not the whole system. I think this option isn't too hard to implement, is just one more filter in the login proccess (multi-brand does it with every entity and other parts of the system). Or at least shared users, what i think is more dificult to implement and maybe not correct from a business perspective (or yes, idk).

Thank you,

regards.

Link to comment
Share on other sites

  • 0

@Mariano have you tested it?   I haven't but I did setup my own testing client using the same email account on two different companies.  Maybe it only rejects it if it's done via the client signup and not via the admin area?  Don't have time to test it but I can say it is possible to have the same email address used on two different companies.

Link to comment
Share on other sites

  • 0
3 hours ago, WebhostingNZ.com said:

@Mariano have you tested it?   I haven't but I did setup my own testing client using the same email account on two different companies.  Maybe it only rejects it if it's done via the client signup and not via the admin area?  Don't have time to test it but I can say it is possible to have the same email address used on two different companies.

Hello,

are you able to register with the same email address in both companies using the "Use email as username" option? I understand it is possible using the "Specify a username" option (and setting diferent usernames for each company) but not using the previous option (Use email as username).

Regards.

Link to comment
Share on other sites

  • 0
6 hours ago, Mariano said:

Hello,

are you able to register with the same email address in both companies using the "Use email as username" option? I understand it is possible using the "Specify a username" option (and setting diferent usernames for each company) but not using the previous option (Use email as username). 

Regards.

the limit is based on the username not email address. so if the username is the email then is limited .

Link to comment
Share on other sites

  • 0

Hello -

I just wanted to jump in here because I too have a similar request because we work with a few different marketing agencies who require access to multiple client accounts, however it is clear that using a single email address is impossible across multiple accounts, however this would be great if it were implemented. Given the fact that it doesn't work this way and each "contact" username has to be unique, if said marketing agency has 10 clients they work with to handle support and/or billing, then we have to create 10 unique usernames for them and it becomes cumbersome to keep track of.

I was actually coming here for this very thing, good to see that others are requesting similar functionality :)

Link to comment
Share on other sites

  • 0

Hi @viablethought

How would you see that working?  Logging in with the same username (email or username) but having access to 10 different accounts, how would they select which account they wanted to log into at the time?  This thread was about the same client on multi companys so at least it would know which account to log them into not about one provider wanting the same user to log into 10 different accounts.

Changing the database to allow same email address to be used for different companies wouldn't be too hard but I think what you are suggesting viablethought is more like a master account that has access to sub accounts.  Maybe that could be put as a feature request?   Create a contact with the ability to add which accounts it has access to.  When they log in they could be directed to a landing page where they select the account they want to log into.... come to think of it you could probably code up something to do that yourself anyway

Link to comment
Share on other sites

  • 0
42 minutes ago, WebhostingNZ.com said:

Hi @viablethought

How would you see that working?  Logging in with the same username (email or username) but having access to 10 different accounts, how would they select which account they wanted to log into at the time?  This thread was about the same client on multi companys so at least it would know which account to log them into not about one provider wanting the same user to log into 10 different accounts.

Changing the database to allow same email address to be used for different companies wouldn't be too hard but I think what you are suggesting viablethought is more like a master account that has access to sub accounts.  Maybe that could be put as a feature request?   Create a contact with the ability to add which accounts it has access to.  When they log in they could be directed to a landing page where they select the account they want to log into.... come to think of it you could probably code up something to do that yourself anyway

My suggestion is no different then how Vimeo, Stripe, Buffer, or dozens of other applications do it. Basically assigning Team Memebers to your account to let them manage it. Heck, even Facebook has been doing this forever with Tiered Page Roles. Company A has their own account, Company B assigns them as a "Team Member" or "Page Admin", then Company C signs up and also assigns Company A as a "Team Member" or "Page Admin". Vimeo Example: https://screencast.com/t/cCXsrYPH8hM

As for the "two company" thing, I never really understood the "use case" for that in Blesta, but I am not using it for what it was designed for I suppose. The only logical thing that I can think of from a UX perspective would be to have a dropdown on the login screen for someone to select which "Company" they wish to log into, and be redirected to upon logging in.

Another example would be like Harry & David's website

If you notice across the top of the site, they own several e-comm shops and I am curious to know if you create an account on one, if your same email & password work across all of those company sites. Similar logic here with having a single login to gain access to multiple companies.

 

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Answer this question...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
×
  • Create New...