FusionAuth
    • Home
    • Categories
    • Recent
    • Popular
    • Pricing
    • Contact us
    • Docs
    • Login

    Group & Role Design in a nearly multitenant Applicatino

    Scheduled Pinned Locked Moved
    General Discussion
    roles groups
    4
    4
    1.0k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Q
      quirin.sailer
      last edited by

      Hi,
      i'm planning to migrate a ASP .NET Core Application from Azure AD B2C to FusionAuth.I read the documentation, but still i have one question how to correctly design the group / role Schema in Fusion Auth.

      Currently in the App a user X can be a member of multiple companies. In each company X can have different roles (e.g. he can be an Admin in Company A and a Editor in Company B).

      First i thought using a Group as a Company is good idea, but it seems like FusionAuth is not supporting Group Roles (User can have different Roles in different Groups).

      So one way is to handle the Group roles in my application logic (which i don't like to do, this is more work for me then it should).

      Also i cloud create Roles for each Company e.g. for Company A i create A_Admin, A_Editor.... so i will end with thousands of Roles, which isn't that perfect solution.

      Other way is to create a Application for every Company, but then i have to provide a individual instance for each company or i have to restart the Backend for each new Application(both not acceptable options).

      A Tenant for each Company brings the same Problem.

      So do i have to implement Group Roles by my own?

      danD 1 Reply Last reply Reply Quote 0
      • danD
        dan @quirin.sailer
        last edited by

        @quirin-sailer Hiya, you could also use entity management: https://fusionauth.io/docs/v1/tech/core-concepts/entity-management and represent the roles as permissions and grants. You'd create a company entity type with permissions like 'admin' or 'editor', add each company as an entity, and then individually manage the grants to the user.

        Do note that entity management is not part of the community edition, but instead requires a paid license.

        Alternatively, I think you could do this with many groups (you'd want to manage these via the API, probably). Users are assigned the roles for the groups they are in and the applications they are registered for.

        You could create an admin group for each application, then an editor group for each application, then add a user to the admin group for application A and the editor group for application B, and register them for both applications. When they logged into A, they'd get admin, and when they logged into B, they'd get the editor role.

        Does that work?

        --
        FusionAuth - Auth for devs, built by devs.
        https://fusionauth.io

        S 1 Reply Last reply Reply Quote 0
        • S
          stephan @dan
          last edited by

          @dan

          Hi

          You'd create a company entity type with permissions like 'admin' or 'editor', add each company as an entity, and then individually manage the grants to the use

          This seems to be exactly what we need, but I'm unsure of how to get the entity grant permissions into the jwt token so that our API can do permission checks. Any tips?

          Thanks

          mark.robustelliM 1 Reply Last reply Reply Quote 0
          • mark.robustelliM
            mark.robustelli @stephan
            last edited by

            For those reading, please check out this post.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post