Permission, User Management and Availability for multi-tenant SaaS applications (PUMA)

The aim of this project is to incept and create a scalable security facility for the management of users and their permissions to use functionality, data and resources in multi?tenant Software-as-a-Service applications. Such a facility offers support for key requirements of such applications, for instance support for confidentiality, data integrity and availability.
The solution to the problem is recognized to be a critical factor in the breakthrough of Software-as-a-Service providers, who offer added value in a niche market where they deliver unique and typically domain specific applications. Typically, such a Software-as-a-Service application is utilized by multiple customers who – ideally – use the same application software and the same distributed deployment infrastructure. However, each of the customers has various actors, roles and responsibilities within their respective organizations, possibly even additional users amongst their own respective customers. All these types of users must be supported and controlled to ensure correct usage of the application instance and the related data and resources. Obviously, appropriate access control is needed to ensure confidentiality, integrity and availability of the overall SaaS application. In addition, appropriate performance and scalability measures must be taken to continuously ensure the availability of all application instances in such a shared distributed environment.
In order to deal with this challenge, many SaaS providers share the common objective of creating a specific and scalable permission and user management facility. Ideally such a security facility can to a large extent be seen as a common service for many SaaS provider, assuming that there is a common body of access and usage control requirements that re-appear in multiple application domains. However, a specific solution must be tightly integrated with the application logic and with specific systems of the SaaS provider and his customers. It therefore cannot be expected to become available through general purpose platforms. The proposed PUMA project will analyze and develop complementary real world application case studies to

  1. Incept a common solution for access and usage control. This will lead to a security facility with a new hybrid access control model that enables self?service for customers and that leverages upon principles of pre-existing know how such as role based access control and lattice based access control, but that also ensures availability of the overall system.
  2. Create a security-specific execution framework for user and permission management; it will be incepted and prototyped to deal with the scalable enforcement of the typical policies and scenarios that re-occur in the application case studies. Also, a method will be developed to support the integration of this security specific framework into the business-specific application logic.
  3. Support the practical use of the facility, through an advanced management interface that covers specific management decision support tools that support monitoring as well event correlation and decision support to evaluate and guide trade-offs between security concerns and performance and load management aspects of the SaaS system.



More information about the project can be found at

Project fiche