@apetrescu Sounds like a fun problem!

You are correct that entities are the best approach for this while staying entirely within FusionAuth. We don't have a lot of guidance on best practices around entities that I can share, unfortunately.

Considering these challenges, we would greatly appreciate your guidance on how best to model FusionAuth to meet our needs. We would be particularly interested in any recommendations or best practices you can provide regarding Entity management, Permissions, and Role assignments.

You might think about making an intermediate entity such as CompanyAbcAdminRole or CompanyAbcManagerRole, which would have permissions for admin or manager actions on CompanyAbc. Then you could atomically grant or remove CompanyAbcAdminRole to a user while leaving CompanyAbcManagerRole assigned.

Additionally, we anticipate that a User may have access to a potentially large number of Companies within our application, potentially reaching hundreds of thousands. We are concerned about the practicality of including all these Permissions in the JWT (JSON Web Token). Could you please advise us on an effective approach for managing and including these Permissions in the JWT? What would be the alternatives or what are the best practices on this topic?

Why would you need to do so? Is your user going to be accessing all the Companies at one time? In this case, I might offer the user the ability to choose a Company to 'enter' and create a JWT based on that action. You'd create an Company 'chooser' based on their grants to allow them to pick between the companies they know about.

If you'd like to discuss this more, consider talking to our sales engineers.

Another option is to, as you said, not use FusionAuth entities. You could instead use FusionAuth for authentication, then feed the resulting JWT into a solution like permit.io, cerbos or oso (or something home grown). You'd use that other system as the authorization solution.

Hope this helps.