0 Replies Latest reply on Mar 29, 2017 5:47 PM by Cameron Hill

    Group Chat - Security Control

    Cameron Hill

      I need advice on the best way to handle the following:

       

      Have a customer that is wanting to run a hosted, multi-tenant Openfire server.  They want to use a single OF server for multiple companies (subscribers).  Their tenants are all non-related organizations that must be kept completely separate from each other.

       

      I have managed to setup an environment using AD groups and the search service properties that mostly accomplishes this.  Users only see users in their assigned groups and they cannot search for users outside of their respective group(s).  One to one chats give the appearance that they are the only users on the system.

       

      The problem is group chats.  If I allow users to create their own conferences, there is no way to keep them from being visible to other users.  I can restrict the membership, but the conference room itself is visible to all on the system.  The customer is absolutely adamant that users not see anything that does not belong to their group (even if they can't access it).

       

      I thought I might be able to do this by creating a separate conference service for each organization.  This almost works.  I can create a separate conference service for each entity and only grant right to it for that entity.  The problem is that the conference tab within spark still list ALL the conference services, even if you have no rights to it.  Spark also seems to default to using the first conference service that was created if you simply go to the action menu and create a conference.  This gives you an error and won't allow you to create a conference in a service you don't have rights, but the only way to get it to work properly is to browse the conference service and then use the create or join a room function.

       

      This method would work great if there was some way to limit a spark client to just a specific conference service, but that doesn't seem to be the case.

       

      Any one have any thoughts/ideas for me?

       

      Thanks