Skip to main content

Configure organizations

Cloud availabilityOSS availability

Configure via Console​

We'll go through the process of configuring the organizations feature via Logto Console (https://cloud.logto.io/).

Configure organization template​

Configuring organizations can be divided into two parts: setting up organization templates and creating and managing organizations.

First, navigate to the organization template in the left navigation menu. You will see that the organization template includes two parts: Organization Roles and Organization Permissions. An organization template defines shared access control policies (permissions and roles) for multiple organizations.

Create organization permission​

Organization permissions are a key part of organization templates. These permissions are designed specifically for organizations within your product. Here's how to manage them:

  • Find the organization permissions tab: Go to the "Organization permissions" tab to see your existing permissions.
  • Add, delete, and edit: You can easily add new organization permissions, delete ones you don't need, and edit existing permissions as required.
    Organization create permission

Create organization role​

Organization role list
Organization create role

Logto lets you define organization roles in a variety of ways to fit your system's structure:

1. Organization permissions only

  • When to use: You have separate user/system endpoints and organization endpoints.
  • Explanation: This is the simplest approach if you clearly divide API permissions from organization permissions. Your organization roles only include the organization permissions you defined.

2. API permissions only

  • When to use: User and organization access control are handled by the same endpoints.
  • Explanation: Choose this if you want to manage all permissions through API resources registered in Logto cloud.

3. Combining API and organization permissions

  • When to use: You have separate endpoints defined for your product, but some user roles require a mix of both user-level and organization-level permissions.
  • Explanation: This offers the most flexibility, but can also be the most complex to manage.

Organization role types​

Cloud availabilityOSS availability

Logto support two types of organization roles:

  • User: Roles that are assigned to users.
  • Machine-to-machine: Roles that are assigned to machine-to-machine applications.

Create and manage organizations​

In the organization list, you can create an organization and configure its details. On the organization details page, you can:

  1. Modify the organization's name and description.
  2. Add members and give them organization roles.
  3. Update a user's membership status.
  4. Delete the organization.
  5. Access a guide to understand more about organizations and the organization template.

Manage organization members​

Users can hold one or more roles. When adding members to an organization, you have the option to assign roles to multiple users at once. If you leave this assignment blank, the added users will not receive any roles.

In the user management tab -> user details page, you can see which organizations the user belongs to and what organization roles they have.

Manage organization machine-to-machine applications​

Cloud availabilityOSS availability

Machine-to-machine applications can also be added to organizations. You can assign roles to machine-to-machine applications in the same way you assign roles to users.

In the applications tab -> application details page, you can see which organizations the application associates with and what organization roles it has.

Require multi-factor authentication (MFA) for organization members​

Cloud availabilityOSS availability

You can require all members of an organization to enable MFA. This is a security measure to ensure that all members have an extra layer of protection when accessing the organization's resources.

To enable this feature, go to the organization details page and toggle the "Multi-factor authentication (MFA)" switch.

note

You'll need to enable at least one MFA method in order to make this feature work properly.

Once enabled, members without MFA configured will not be able to exchange organization access tokens until they set up MFA. Please note that:

  • This feature only checks if the user has MFA configured. It does not enforce users to use MFA when exchanging access tokens.
  • This feature does not limit what MFA methods users can use.

Configure via Management API​

Everything you can do in Console can also be done through Management API. This includes, but not limited to:

  1. Create, delete, or edit an organization.
  2. Manage organization template: create, delete, or edit organization permissions and roles.
  3. Add members to, or remove members from an organization.
  4. Assign or remove user's organization roles.
  5. Add machine-to-machine applications to, or remove machine-to-machine applications from an organization.
  6. Assign or remove machine-to-machine application's organization roles.

For a complete list of capabilities, please refer to our API references.

Example: Develop a platform or interface that enables your clients to manage identities within their organization​

A common scenario for your product involves having both admins and members. They will manage resources and identities at different levels.

RolePermissions
AdminAble to invite users to and remove users from the organization.
MemberOnly able to invite users to the organization.

So we can define the following organization template:

  • Organization permissions: invite:users, remove:users.
  • Organization roles:
    • admin with permissions invite:users and remove:users.
    • member with permission invite:users.

You can use POST /organization-scopes in Management API to create the organization permissions first, then use POST /organization-roles to create roles.

After organization template is set, you may also create two APIs in your service that call Management API under the hood for inviting and removing users in a specific organization. The APIs in your service should check organization access token to ensure the user has the right access. See Organization RBAC for details.

Organization-specific branding​

Cloud availabilityOSS availability

To dynamically show your client’s organization logo in the sign-in experience, you can upload the organization logos in the organization settings page. See Organization-specific logos for more details.