FusionAuth
    • Home
    • Categories
    • Recent
    • Popular
    • Pricing
    • Contact us
    • Docs
    • Login

    How to model roles to support multi-tenant (without actually using multi-tenant)

    Scheduled Pinned Locked Moved
    Q&A
    0
    2
    1.0k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      gjermund
      last edited by

      I am trying to figure out how I can do this in a good way:
      Users can be members of 1 or more organizations
      Additionally, Users can be members of 0 or more facilities

      There are organization specific roles (admin, manager, member)
      There are facility specific roles (manager, member, auditor)

      It is fully possible for 1 user to be member of more than 1 organization with different roles in each and member of many facilities with different roles in each.

      I don't see any way of modelling this kind of multi-tenant system in FusionAuth (especially the roles). Am I missing something, or do I simply need to deal with all of this on my backend?

      1 Reply Last reply Reply Quote 0
      • danD
        dan
        last edited by

        @gjermund welcome to the FusionAuth community!

        Interesting problem. You might be able to model this with Groups and Applications. I'm not quite sure how it relates to multi tenant; tenants are really about separating user accounts and configuration so that users in one tenant won't be aware at all of user accounts in other tenants, even if they have the same email address.

        One thing to note is that roles are never assigned in FusionAuth if a user isn't registered to an application. Let's assume you have two orgs (org1, org2) and two facilities (fac1, fac2).

        So, let's say you have an application AppA (you can have more, you'd just need to replicate all the roles for each application, so I'd script their creation using the API).

        • AppA roles:
          • org1admin
          • org1manager
          • org1member
          • org2admin
          • org2manager
          • org2member
          • fac1manager
          • fac1member
          • fac1auditor
          • fac2manager
          • fac2member
          • fac2auditor

        Now, let's assume there are two users. Alice and Bob. Alice is a a admin in org1 and a member in org 2, as well as an auditor in fac1. Bob is just a member in org2. Both are registered for AppA (remember, roles are dependent on applications and a user being registered for an application!)

        If I created a group for each role:

        • org1adminGroup
        • org1managerGroup
        • org1memberGroup
        • org2adminGroup
        • org2managerGroup
        • org2memberGroup
        • fac1managerGroup
        • fac1memberGroup
        • fac1auditorGroup
        • fac2managerGroup
        • fac2memberGroup
        • fac2auditorGroup

        I can add users to one or more groups and they will pick up the roles. The roles will be available in both the JWT generated on login and the user object retrieved by the User API.

        So I'd add Bob to the org2memberGroup only. If Bob isn't registered for AppA, he doesn't pick up any roles, no matter what groups he is in.

        And I'd add Alice to the following groups:

        • org1adminGroup
        • org2memberGroup
        • fac1auditorGroup

        --
        FusionAuth - Auth for devs, built by devs.
        https://fusionauth.io

        1 Reply Last reply Reply Quote 0
        • First post
          Last post