flagsmith icon indicating copy to clipboard operation
flagsmith copied to clipboard

Published 20 hours ago verified publisher icon Flagsmith

Allow for "Single Tenant" self hosted instance that auto invites all users to a single Org

Open max-cole opened this issue 1 year ago • 3 comments

Is your feature request related to a problem? Please describe.

When self hosting flagsmith the owner of the instance might want to only manage a single org for all of their users, currently every user must be manually invited to the same org or share the same invite link. Flagsmith currently allows for oAuth via google and github in an ideal world there would be functionality such that the Flagsmith instance would effectively be a "single tenant org" where all users that successfully authenticate would be invited to this "default" org without having to share a link or mistakenly create their own org.

Describe the solution you'd like.

Functionally this might be done via env-var(s) on the API instance that would change api to:

Disable users from creating orgs (Already done via flagsmith on flagsmith) Auto invite all users to some default org Disable email/password signup (already done via ALLOW_REGISTRATION_WITHOUT_INVITE) Force users to sign up via oAuth/SAML/SSO

The only requirement for this feature would be the auto invite but it might be useful to bundle/couple these changes from a security perspective so random people don't get auto invited to the org.

Describe alternatives you've considered

Users can log in but must then be invited to the org, this might lead to a user creating an org and using it without the ability for other users of that same instance to edit the Flags.

Additional context

Spoke to @dabeeeenster on the flagsmith discord around this feature. Happy to discuss this feature request any further.

max-cole avatar May 16 '24 15:05 max-cole

Thank you for this feature request @max-cole. We will look at it and prioritize it or reply with comments.

novakzaballa avatar May 16 '24 16:05 novakzaballa

I think this is a good idea - surprised it hasnt come up before. I'm not clear why there is a requirement to "Disable email/password signup" - we could lock down the app with the env var ALLOW_REGISTRATION_WITHOUT_INVITE (https://docs.flagsmith.com/deployment/hosting/locally-api#application-environment-variables) which would maintain security?

dabeeeenster avatar May 17 '24 12:05 dabeeeenster

The call out for the disable email/password signup was more of a "tightly coupling this functionality or at least calling them out in the docs would help users maintain good security hygiene and prevent gun aimed at foot situations" vs a strict requirement. The auto invite is really the only missing element.

max-cole avatar May 17 '24 17:05 max-cole