Feature: Add one or more Tenant scoped roles for the FusionAuth UI

[robotdan]

FusionAuth tenant manager

Problem

Currently, a user with a registration to the FusionAuth application with a role that allows access to search, edit, delete, or create users can see users across all tenants.

This is the current design of FusionAuth, but it would be helpful for those wishing to white-label FusionAuth, or segment users into tenants to assign admin users access to one or more tenants without access to any other users.

Solution

In the FusionAuth UI, allow a user with registration to the FusionAuth application to be assigned as a manager to one or more tenants.

Base Use Case

A user to only manage users, which means you login as a tenant manager and only see the user panels and all searches etc are scoped to your tenant or tenants.

Use Cases

• [ ] Use case A: I want to assign a single user to manage the users and applications in a single tenant.
  • Use existing admin UI, no theming capability.
• [ ] Use case B: I want to assign a single user to manage the users and applications in one to many tenants.
  • Use existing admin UI, no theming capability.

Alternatives/workarounds

A tenant manager could be created today if you use the APIs directly w/out the FusionAuth UI. This would be accomplished by assigning an API key to a tenant and providing that API key to a tenant manager.

Additional context

• Request from StackOverflow ( https://stackoverflow.com/questions/55118726/can-a-user-manager-be-limited-to-manage-only-users-of-certain-groups)

How to vote

Please give us a thumbs up or thumbs down as a reaction to help us prioritize this feature. Feel free to comment if you have a particular need or comment on how this feature should work.

[JesperWe]

I'll just elaborate a bit on the use case I have:

In a major project like ours there will be more than one person responsible for account administration. It is delegated to admins in each organization that is part of the project.

Each organization will have an appointed account administrator that handles the account admin process for the individuals in that organization.

In our case the different organizations that are part of the project are commercial companies that are competitors. So as an account admin, having admins in competing company see which accounts I register is a complete show-stopper for FusionAuth.

[sseBmoT]

I was actually searching if there was a way in the AuthFusion UI to assign the user_manager role to a user in the tenant that I just created before seeing this issue. I read on your website that FusionAuth was designed for single tenant architecture, but there are ways to create a multi-tenant architecture with the UI.

The use case I have is I wanted to create one tenant per company, like that a company can have their users, groups, applications and roles. The most important is that one of these users is a user_manager only for his tenant.

Like that, my company can supervise all the tenant and each company can manage their users. And the final goal was to give access to our FusionAuth like that they can do all the stuff they wanted on users in their tenant.

Obviously the problem here is that the user manager doesn't have to see the users of the other tenants. The only solution I have for now is to make one FusionAuth instance for every company (FusionAuth is simple to deploy so it should be quick) or use the API.

Following the issue because even if they're workarounds it could be a useful feature

[markschmid]

We would like that specific users of a tenant (e.g. with an administrative role) can manage all the users within that (and only that) tenant. They would manage their users in the FusionAuth User Management UI.

[robotdan]

Thanks @sseBmoT and @markschmid for the feedback, those are both great examples of the use case we'd like to solve with this feature.

This feature hasn't made it to the top of the list yet, we've been swamped with other custom work and professional services engagements.

The upvotes help us to prioritize what is next, so thank you for voting! If you run into a roadblock with a feature such as this and are interested in expediting a feature feel free to contact us through the FusionAuth website and we can review costs and timelines with you.

Thanks!

Obviously the problem here is that the user manager doesn't have to see the users of the other tenants. The only solution I have for now is to make one FusionAuth instance for every company (FusionAuth is simple to deploy so it should be quick) or use the API.

Another option is to custom build the features you'd like each user manager to have access to and build those using the FusionAuth API. Our entire UI is built upon our own API to ensure others can replicate our work. This is far from ideal, and requires some additional coding on your end, but it is possible if you have the resources to build this.

[pendenga]

@robotdan I'd like to add our use case as well. Because we are using Terraform to do all the app configuration, we want to limit access to users to be able to make configuration changes. To this end, we've put all of our application users on one tenant and our FusionAuth users on a separate tenant where we use Terraform to configure a limited set of users and application access. In this way, we get the benefits of Terraform's reviewed and approved change control on the FusionAuth application users, but each other application can manage their users through the API having access to users on that tenant.

What we'd like to do is have some dev and support users with the user_manager and user_deleter role for application support, but without giving them admin access to the FusionAuth application. As it is, a user with the user_manager role cannot modify its own permissions, but it can create another user with the global admin permission, so it's pretty easy to circumvent the security on that. There are a few ways of closing that up, but being able to specify a tenant on which the user can manage users would work for our case. As long as the system allows us to define the user in FusionAuth on the default tenant and be able to manage users on a different tenant.

Thanks, Grant

[robotdan]

Thanks for that detail @pendenga, that is helpful. This may not exactly fit for you - but we did just recently add some additional roles for user management that can be assigned to un-trusted users.

See - https://github.com/FusionAuth/fusionauth-issues/issues/1027

[pendenga]

@robotdan that does help. It gets us most of what I'm after. Thanks!

[mooreds]

For anyone reading this in the future, the new roles are documented here: https://fusionauth.io/docs/v1/tech/core-concepts/roles/#fusionauth-application-roles

[mooreds]

Had someone reach out and ask about this use case today. In particular, they are a SaaS company and want to empower their customers to create users of their own. You can do that by building a UX with the FusionAuth APIs, but this role would allow for the administrative UX to serve the same purpose.

[mooreds]

Have had multiple customers bring this up as a desired feature in the past few weeks.

[ebahsini]

+1

[lyricnz]

We have the same requirement: we would like to be able to "fully delegate" administration of tenants (so they can create their own users, password rules, identity provider, setup branding/styles, etc).

FWIW this appears to be what Auth0 call Tenant Admins https://auth0.com/docs/get-started/tenant-settings/auth0-teams

[mbaev]

The feature would be very useful!

[mooreds]

@mbaev would you care to share any more details about your use case? Also, please upvote the issue if you get a chance.

[jon-at-advarra]

A tenant-scoped User Manager and Admin role would be extremely helpful for us. Currently, if we grant the User Manager role, it allows creating additional FusionAuth admin users (in the Default tenant), which we can't allow. As a work-around, we're using API keys, which allows tenant-scoping, but are more tedious to use vs the UI.

[mbaev]

@mooreds how could I miss your ask..

Sorry, sure!

Our case it the following: we're developing a multi-tenant platform where each tenant is an organization. We have resources scoped per tenant and everything is related to a tenant. Every tenant has list of users. We have internal service that is responsible for storing information about users and their permissions. We only store email and name of a user so we can send them emails and such. we have internal methods implemented so users or admins can changes users' names and emails.

Here's the problem, we have to have the internal service for internal needs but we'd better give tenant administers manage their users. This is minimal set of functionality that could be very helpful in our case!