User Accounts with Hierarchy like Company and Teams

amit

I like what FusionAuth is doing.

I explored and read alot but I have a scenario for which I am unable to see whether it can be handled via Fusion Auth.

I am building an App in which a user(Super-Admin) after signup can create multiple companies. Every company will have different teams. eg. marketing, operations, HR.

Now, user(Super-Admin) will be able to be add more users to different teams.

Also, When It comes to Roles:

1. Super-Admin can manage Roles of all companies and teams, eg: Assign Team Admin for teams, and add Editors, and Viewers also at same time.
2. Team Admin can manage Roles of their teams eg: add editor or viewers to their team.

Options for Following Roles:

1. Super-Admin
2. Team-Admin
3. Editors
4. Viewer

Its like a hierarchy with Roles in Company and Teams.

Please suggest how can we achieve scenario like this in FusionAuth?

joshua

@amit

Roles and Groups within FusionAuth are really flexible. You can define a role and have it added to a JWT as a claim. Typically it is up to the application integrator to determine how these roles will function (with regards to permissions and hierarchy). The exception to this is the FusionAuth Admin UI, which has several predefined roles in service of users trying to access the admin UI only.

You can read more about both below

• https://fusionauth.io/docs/v1/tech/core-concepts/groups/
• https://fusionauth.io/docs/v1/tech/core-concepts/roles/

So you could create groups/roles to accommodate your request.

Super-Admin can manage Roles of all companies and teams, eg: Assign Team Admin for teams, and add Editors, and Viewers also at same time.
Team Admin can manage Roles of their teams eg: add editor or viewers to their team

So you would have program logic that would take enable this auth/permissions model on the JWT.

For example, your program/code would check -

1. Does this JWT/user have "Super-Admin" role? -> yes -> they can manage roles of all companies and teams <insert additional logic/code to make work>

There are a few open issues surrounding this functionality as well

• https://github.com/FusionAuth/fusionauth-issues/issues/15

But feel free to log your own if you would like, https://github.com/FusionAuth/fusionauth-issues/issues/new/choose.

I hope this helps!

Thanks,
Josh

amit

@joshua

Thanks Josh for your informative explanation.

How can we create Hirearchy for all those custom companies that will be added by users? Eg: 50k users creating 1-5 companies each with some unique teams in each company.

Eg:

• Company A with has Marketing team, Ops team, HR team
• Company B with has Department-1, Department-2, Department-3, Department-4

These companies and departments will be created by the users when they signup.

Will using Entities (https://fusionauth.io/docs/v1/tech/core-concepts/entity-management/) be right way? If yes, then how can we create Hirearchy(Parent Child Relationship)
eg: These teams(John-Marketing, John-HR, John-OPs) with their unique ids are child of Parent(Company)- JohnAssociates. Could not find any way inside to create these parent-child relationship.

We are building a SAAS for companies which can have their own teams.

joshua

@amit

Much of this might be context-specific. Entity Management is an implementation of the Client Credentials grant and may fit your use case. This video offers a useful demonstration:

https://www.youtube.com/watch?v=pJIzYLSTrMM

You may also find this to be useful --> https://github.com/FusionAuth/fusionauth-site/pull/1158/files as well if you are trying to implement certain levels of granularity within your permissions.

Hope this helps!

Thanks,
Josh