Skip to main content

Configure organizations

Configure via Consoleโ€‹

We'll go through the process of configuring the organizations feature via Logto Console (https://cloud.logto.io/).

Configure organization templateโ€‹

Configuring organizations can be divided into two parts: setting up organization templates and creating and managing organizations.

First, navigate to the organization template in the left navigation menu. You will see that the organization template includes two parts: Organization Roles and Organization Permissions. An organization template defines shared access control policies (permissions and roles) for multiple organizations.

Create organization permissionโ€‹

Organization permissions are a key part of organization templates. These permissions are designed specifically for organizations within your product. Here's how to manage them:

  • Find the org permissions tab: Go to the "org permissions" tab to see your existing permissions.
  • Add, delete, and edit: You can easily add new organization permissions, delete ones you don't need, and edit existing permissions as required.
    Organization create permission

Create organization roleโ€‹

Organization role list
Organization create role

Logto lets you define organization roles in a variety of ways to fit your system's structure:

1. Organization permissions only

  • When to use: You have separate user/system endpoints and organization endpoints.
  • Explanation: This is the simplest approach if you clearly divide API permissions from organization permissions. Your organization roles only include the organization permissions you defined.

2. API permissions only

  • When to use: User and organization access control are handled by the same endpoints.
  • Explanation: Choose this if you want to manage all permissions through API resources registered in Logto cloud.

3. Combining API and organization permissions

  • When to use: You have separate endpoints defined for your product, but some user roles require a mix of both user-level and organization-level permissions.
  • Explanation: This offers the most flexibility, but can also be the most complex to manage.

Create and manage organizationsโ€‹

In the organization list, you can create an organization and configure its details. On the organization details page, you can:

  1. Modify the organization's name and description.
  2. Add members and give them organization roles.
  3. Update a user's membership status.
  4. Delete the organization.
  5. Access a guide to understand more about organizations and the organization template.

Adding members and assigning organization rolesโ€‹

Users can hold one or more roles. When adding members to an organization, you have the option to assign roles to multiple users at once. If you leave this assignment blank, the added users will not receive any roles.

In the user management section, on the user detail page, you can see which organizations the users belong to and what organization roles they have.

Configure via Management APIโ€‹

Everything you can do in Console can also be done through Management API. This includes, but not limited to:

  1. Create, delete, or edit an organization.
  2. Add users to the organization.
  3. Remove users from the organization.
  4. Manage organization template:
  • Add, delete, or edit organization roles.
  • Add, delete, or edit organization permissions.
  1. Assign or remove user's organization roles.

For a complete list of capabilities, please refer to our API references.

Example: Develop a platform or interface that enables your clients to manage identities within their organizationโ€‹

A common scenario for your product involves having both admins and members. They will manage resources and identities at different levels.

RolePermissions
AdminAble to invite users to and remove users from the organization.
MemberOnly able to invite users to the organization.

So we can define the following organization template:

  • Organization permissions: invite:users, remove:users.
  • Organization roles:
    • admin with permissions invite:users and remove:users.
    • member with permission invite:users.

You can use POST /organization-scopes in Management API to create the organization permissions first, then use POST /organization-roles to create roles.

After organization template is set, you may also create two APIs in your service that call Management API under the hood for inviting and removing users in a specific organization. The APIs in your service should check organization access token to ensure the user has the right access. See Organization RBAC for details.