Group & Role Design in a nearly multitenant Applicatino
quirin.sailer last edited by
i'm planning to migrate a ASP .NET Core Application from Azure AD B2C to FusionAuth.I read the documentation, but still i have one question how to correctly design the group / role Schema in Fusion Auth.
Currently in the App a user X can be a member of multiple companies. In each company X can have different roles (e.g. he can be an Admin in Company A and a Editor in Company B).
First i thought using a Group as a Company is good idea, but it seems like FusionAuth is not supporting Group Roles (User can have different Roles in different Groups).
So one way is to handle the Group roles in my application logic (which i don't like to do, this is more work for me then it should).
Also i cloud create Roles for each Company e.g. for Company A i create A_Admin, A_Editor.... so i will end with thousands of Roles, which isn't that perfect solution.
Other way is to create a Application for every Company, but then i have to provide a individual instance for each company or i have to restart the Backend for each new Application(both not acceptable options).
A Tenant for each Company brings the same Problem.
So do i have to implement Group Roles by my own?
dan last edited by
@quirin-sailer Hiya, you could also use entity management: https://fusionauth.io/docs/v1/tech/core-concepts/entity-management and represent the roles as permissions and grants. You'd create a company entity type with permissions like 'admin' or 'editor', add each company as an entity, and then individually manage the grants to the user.
Do note that entity management is not part of the community edition, but instead requires a paid license.
Alternatively, I think you could do this with many groups (you'd want to manage these via the API, probably). Users are assigned the roles for the groups they are in and the applications they are registered for.
You could create an admin group for each application, then an editor group for each application, then add a user to the admin group for application A and the editor group for application B, and register them for both applications. When they logged into A, they'd get admin, and when they logged into B, they'd get the editor role.
Does that work?