I've read the various documents and have a few questions about how to deal with more advanced scenarios.
I have a set of organizations that have multiple "products". I also have a set of micro-services that coordinate together to produce those "products". Within that product, some of the micro-services are likely coordinating to produce "tools". That results in the following hierarchy:
My goal would be to have a single sign on for the entire organization, so that all products are signed into. Users have different roles for all the various tools, and those are what the users would primarily be logging into.
Therefore, I've mapped:
For "general" roles (admin, user, etc.) and allowing a user to use a tool/api the user would have a registration record for the particular tool/api and a set of roles assigned to them.
I don't see a way to manage "permissions" in fusion auth (what a role would allow a user to do) - so I assume that concept would be left to the individual micro-services to handle.
I also have a new requirement and I'm not sure how to map that in fusion auth. I've looked into Entities - but am very confused by them and not sure if they are meant for this use case or not. That requirement is that a particular user may have different roles in the same tool/api based on the "context" they are trying to work with.
For instance, we could have multiple "customers" in the tool and some users would have different permissions sets based on which customer they are looking at. (For instance, a user would have no access to some customers, management roles/capabilities of a subset of the customers and read only visibility on others).
- First question is if my "mapping" follows the best practices for fusion auth. I want to make sure that I don't map in a way that means I'll be fighting with the solution.
- Second quesiton is, how would the community suggest that we model the new requirement in fusion auth, or is the capabilities of fusion auth not a good fit for this use case?