Understand how organizations work
Organizationβ
Organization consists of a group of users (identities). It can represent the teams, business customers, and partner companies who can access to your application.
The introduction of an organization as an entity is important, as it not only groups users but also provides a context for tenant isolation in multi-tenant apps. To learn more about tenant isolation, check out our multi-tenant application best practice.
Organization memberβ
In Logto, a user who has the membership of an organization is referred to as an organization member (i.e. member) within that organization's context.
Organization permissionβ
Organization permission refers to the authorization to perform an action in the context of organization. An organization permission should be represented as a meaningful string, also serving as the name and unique identifier.
For example, edit:resource
.
Organization permissions are not meaningful without the context of an organization. For example, edit:resource
in the context of organization org1
is different from edit:resource
in the context of organization org2
.
Organization roleβ
Organization role is a grouping of organization permissions or API permissions that can be assigned to users. The permissions must come from the predefined organization permissions.
Organization roles are not meaningful without the context of an organization. For example, admin
in the context of organization org1
is different from admin
in the context of organization org2
.
Can I assign API permissions to org roles?
Yes, you can assign API permissions to organization roles. Logto offers the flexibility to manage your organization's roles effectively, allowing you to include both organization permissions and API permissions within those roles.
Organization templateβ
Organization template refers to a collection of organization permissions and roles that apply to every organization.
Think of a typical collaboration app, and they naturally share the same access control βtemplateβ that defines access levels and what users can do in the organization. We call it "organization templateβ in Logto.
Letβs take an example to understand how everything connects:
John, Sarah are in different organizations with different roles in the context of different organizations.
From this diagram, here are some info you need to know:
- John is affiliated with two organizations, using the email "john@email.com" as his unique identifier. He holds the position of
admin
inOrganization A
and is aguest
inOrganization B
. - Sarah is associated with a single organization and uses the email "sarah@email.com" as her unique identifier. She is the
admin
ofOrganization B
. - The roles of
Admin
,Member
, andGuest
are designated within organizations and these roles are consistent across various organizations. - Additional roles can be created within the organization template settings. These newly created roles will be applied and shared across all organizations.
π‘ In Logto, the organization template serves as an access control model tailored for organizations. While it's based on the RBAC (role-based access control) model, it differs from the API resource RBAC feature.
When you need to design roles and permissions specific to an organization, use the organization template (organization RBAC).
You can use both organization RBAC and API resource RBAC in Logto, allowing a more robust approach to meet your specific business and product requirements. For details on API resource RBAC, refer to this section.
Managing identities in organizationsβ
The organization template in Logto is intended to secure isolated resources at the organizational level, ensuring users in different roles have the right access.
You may notice that the organization template doesnβt define identity management, such as which role can invite or remove users in an organization, since it varis for different products and business needs.
While we are working on a productized solution for organization idenitty management, you can use the Management API to tailor a solution. For detailed guidance on using the Management API for this, please refer to this section.