logto icon indicating copy to clipboard operation
logto copied to clipboard
verified publisher icon logto-io

feature request: multi tenancy, groups & permissions

Open kswzr opened this issue 2 years ago • 2 comments

Hello,

I want to use logto for a SaaS application, which handles multiple tenants.

We have predefined permissions, and groups. Each tenant should create their own groups, or modify our predefined one.

As I current understand, I need to:

  1. create for each new tenant in our system, a new tenant in logto.
  2. Provision our permissions & groups
  3. on global permission changes, reprovision all existing tenants in logto

Is that right?

Also I don't really understand, how to manage integrations to to other Oauth Applications, like Slack, Salesforce etc.

Are there any instructions or are these features missing, to use it for our cases?

Thanks!

kswzr avatar Mar 24 '23 13:03 kswzr

Thanks for demonstrating the scenario. I would like to discuss several sections separately:

Multi-tenant

I would like to clarify whether you require identities to be isolated between tenants, as this could impact the approach taken.

For example, let's consider two tenants, A and B:

  • Isolated identities: An email address such as [email protected] would hold different user IDs between tenant A and B. This would require provisioning for each new tenant and reprovisioning on global permission changes.

  • Federated identities: In this case, the email address [email protected] would hold a universal user ID that allows the user to sign in to both tenant A and B, provided they have been assigned to these tenants. You can dynamically add or remove tenant access using Role-Based Access Control (RBAC). One approach could be to add a prefix [tenantId]: to all roles that indicate the permissions under [tenantId], for example, tenant-a:access.

While RBAC is a temporary solution, we are developing a new feature called "Organizations" that will allow for dynamic creation and management of organizations (or tenants) using predefined templates like roles and permissions, eliminating the need for reprovisioning after global changes.

Groups

It would be great to have more context on the intended use of groups. Will they be used for access control or simply for grouping users? Currently, Logto does not have a built-in concept of "groups," but you can use Custom Data to store and update group information.

OAuth integration

I would like to understand the relation between Logto and OAuth applications. Is Logto an Identity Provider in this case? I.e. Slack is a third-party application to Logto.

gao-sun avatar Mar 24 '23 14:03 gao-sun

@gao-sun Comming from Keycloak and Azure AD, they both use "Groups" as a collection of users: e.g. "Department 1", "Team ABC", etc.

Both offer the ability to assign "roles" or individual permissions to both, users and groups. Having groups would reduce the management overhead a lot for larger tenants. A set of existing groups could be imported from SSO (when available), and assigned to specific roles.

StefanOverHaevgRZ avatar Jul 12 '23 06:07 StefanOverHaevgRZ

Organizations feature has been officially released and should have fulfill this request. Please check our documentation for more details: https://docs.logto.io/docs/recipes/organizations/

charIeszhao avatar Jan 15 '24 03:01 charIeszhao