FusionAuth
    • Home
    • Categories
    • Recent
    • Popular
    • Pricing
    • Contact us
    • Docs
    • Login

    FusionAuth implementation design suggestions

    Scheduled Pinned Locked Moved
    Q&A
    0
    3
    707
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      amar.sibia
      last edited by

      Hi All,

      I'm looking to implement RBAC with FusionAuth on a new project. We have a need to manage 3 levels of permissions.

      • User Access (granular permission claims)
      • User Position (user type, would be good to be able to allocate access claims to Position types)
      • User Teams (collection users that work together)

      I have a couple of approaches I have been evaluating, my preference would be a solution where all 3 could managed within FusionAuth. However, I only see 2 manageable pieces to play with, Roles and Groups. Currently, if I want everything to be managed within FusionAuth, I believe my only option would be to use Roles within FA to represent User Positions, and Groups to represent User Teams. This would mean loosing the granular controls we would like to implement.

      Hopefully someone could help point me to an implementation that would allow us to manage all 3 aspects within FusionAuth

      1 Reply Last reply Reply Quote 0
      • M
        mgetka Power User
        last edited by

        I would consider defining both positions and teams as groups. With such approach one user could have multiple positions - if it is an issue, you would need implement such restriction in your application.

        Later on, you define set of granular permissions as roles. The user can obtain a permission (role) in two ways:

        • explicitly - the user has specific role set,
        • implicitly - the user is in a group (position/team) associated with the role.
        1 Reply Last reply Reply Quote 1
        • danD
          dan
          last edited by

          I think @mgetka makes some good points. I'm afraid I don't have enough detail to provide an authoritative answer. From what you've said, I think you could do this with roles, application registrations, groups or even user actions. You could for example, have three different groups of roles (they are just strings, and you can add more than one to a user):

          ...
team1_member
team2_member
...
position1_holder
position2_holder
...
access_perm_1
access_perm_2
...

          I guess it also depends on how you want to consume these. Are you going to be looking up the user via FusionAuth API calls? Or will you want this embedded in a JWT for portable claims?

          In the former case (API calls) you can make multiple calls and learn a lot about the user.

          In the latter case, even though you have the JWT populate lambda, it is limited to what is on the user and registration objects.

          So you couldn't, for example, know the group name (though I believe you have the group id) in the lambda, so you couldn't put it in the JWT. More on this issue.

          --
          FusionAuth - Auth for devs, built by devs.
          https://fusionauth.io

          1 Reply Last reply Reply Quote 0
          • First post
            Last post