Skip to main content

Configure organizations

Configure via Consoleโ€‹

We'll go through the process of configuring the organizations feature via Logto Console (https://cloud.logto.io/).

Configure organization templateโ€‹

Configuring organizations can be divided into two parts: setting up organization templates and creating and managing organizations.

First, navigate to the organization template in the left navigation menu. You will see that the organization template includes two parts: Organization Roles and Organization Permissions. An organization template defines shared access control policies (permissions and roles) for multiple organizations.

Adding members and assigning organization rolesโ€‹

Users can hold one or more roles. When adding members to an organization, you have the option to assign roles to multiple users at once. If you leave this assignment blank, the added users will not receive any roles.

In the user management section, on the user detail page, you can see which organizations the users belong to and what organization roles they have.

Configure via Management APIโ€‹

Everything you can do in Console can also be done through Management API. This includes, but not limited to:

  1. Create, delete, or edit an organization.
  2. Add users to the organization.
  3. Remove users from the organization.
  4. Manage organization template:
  • Add, delete, or edit organization roles.
  • Add, delete, or edit organization permissions.
  1. Assign or remove user's organization roles.

For a complete list of capabilities, please refer to our API references.

Example: Develop a platform or interface that enables your clients to manage identities within their organizationโ€‹

A common scenario for your product involves having both admins and members. They will manage resources and identities at different levels.

RolePermissions
AdminAble to invite users to and remove users from the organization.
MemberOnly able to invite users to the organization.

So we can define the following organization template:

  • Organization permissions: invite:users, remove:users.
  • Organization roles:
    • admin with permissions invite:users and remove:users.
    • member with permission invite:users.

You can use POST /organization-scopes in Management API to create the organization permissions first, then use POST /organization-roles to create roles.

After organization template is set, you may also create two APIs in your service that call Management API under the hood for inviting and removing users in a specific organization. The APIs in your service should check organization access token to ensure the user has the right access. See Organization RBAC for details.