How to model roles to support multi-tenant (without actually using multi-tenant)

  • I am trying to figure out how I can do this in a good way:
    Users can be members of 1 or more organizations
    Additionally, Users can be members of 0 or more facilities

    There are organization specific roles (admin, manager, member)
    There are facility specific roles (manager, member, auditor)

    It is fully possible for 1 user to be member of more than 1 organization with different roles in each and member of many facilities with different roles in each.

    I don't see any way of modelling this kind of multi-tenant system in FusionAuth (especially the roles). Am I missing something, or do I simply need to deal with all of this on my backend?

  • @gjermund welcome to the FusionAuth community!

    Interesting problem. You might be able to model this with Groups and Applications. I'm not quite sure how it relates to multi tenant; tenants are really about separating user accounts and configuration so that users in one tenant won't be aware at all of user accounts in other tenants, even if they have the same email address.

    One thing to note is that roles are never assigned in FusionAuth if a user isn't registered to an application. Let's assume you have two orgs (org1, org2) and two facilities (fac1, fac2).

    So, let's say you have an application AppA (you can have more, you'd just need to replicate all the roles for each application, so I'd script their creation using the API).

    • AppA roles:
      • org1admin
      • org1manager
      • org1member
      • org2admin
      • org2manager
      • org2member
      • fac1manager
      • fac1member
      • fac1auditor
      • fac2manager
      • fac2member
      • fac2auditor

    Now, let's assume there are two users. Alice and Bob. Alice is a a admin in org1 and a member in org 2, as well as an auditor in fac1. Bob is just a member in org2. Both are registered for AppA (remember, roles are dependent on applications and a user being registered for an application!)

    If I created a group for each role:

    • org1adminGroup
    • org1managerGroup
    • org1memberGroup
    • org2adminGroup
    • org2managerGroup
    • org2memberGroup
    • fac1managerGroup
    • fac1memberGroup
    • fac1auditorGroup
    • fac2managerGroup
    • fac2memberGroup
    • fac2auditorGroup

    I can add users to one or more groups and they will pick up the roles. The roles will be available in both the JWT generated on login and the user object retrieved by the User API.

    So I'd add Bob to the org2memberGroup only. If Bob isn't registered for AppA, he doesn't pick up any roles, no matter what groups he is in.

    And I'd add Alice to the following groups:

    • org1adminGroup
    • org2memberGroup
    • fac1auditorGroup

Log in to reply

Looks like your connection to FusionAuth Forum was lost, please wait while we try to reconnect.