Skip to main content

Understand how organizations work

Organization​

Organization consists of a group of users (identities). It can represent the teams, business customers, and partner companies who can access to your application.

The introduction of an organization as an entity is important, as it not only groups users but also provides a context for tenant isolation in multi-tenant apps. To learn more about tenant isolation, check out our multi-tenant application best practice.

Organization member​

In Logto, a user who has the membership of an organization is referred to as an organization member (i.e. member) within that organization's context.

Organization member

Organization application​

Cloud availabilityOSS availability

Organization application refers to the machine-to-machine applications that are associated with an organization. Similar to organization members, organization applications are scoped within the context of an organization.

Once you associate an application with an organization, the application can be assigned organization roles. This is useful when you want to allow non-interaction access to organization resources.

note

Other types of applications do not support organization association and organization roles, as they are designed for user interaction.

Organization permission​

Organization permission refers to the authorization to perform an action in the context of organization. An organization permission should be represented as a meaningful string, also serving as the name and unique identifier.

For example, edit:resource.

Organization permission

Organization permissions are not meaningful without the context of an organization. For example, edit:resource in the context of organization org1 is different from edit:resource in the context of organization org2.

Organization role​

Organization role is a grouping of organization permissions or API permissions that can be assigned to users. The permissions must come from the predefined organization permissions.

Organization role

Organization roles are not meaningful without the context of an organization. For example, admin in the context of organization org1 is different from admin in the context of organization org2.

Can I assign API permissions to organization roles?

Yes, you can assign API permissions to organization roles. Logto offers the flexibility to manage your organization's roles effectively, allowing you to include both organization permissions and API permissions within those roles.

Organization template​

Organization template refers to a collection of organization permissions and roles that apply to every organization.

Think of a typical collaboration app, and they naturally share the same access control β€œtemplate” that defines access levels and what users can do in the organization. We call it "organization template” in Logto.

Let’s take an example to understand how everything connects:

John, Sarah are in different organizations with different roles in the context of different organizations.

Organization example with template

From this diagram, here are some info you need to know:

  1. John is affiliated with two organizations, using the email "[email protected]" as his unique identifier. He holds the position of admin in Organization A and is a guest in Organization B.
  2. Sarah is associated with a single organization and uses the email "[email protected]" as her unique identifier. She is the admin of Organization B.
  3. The roles of Admin, Member, and Guest are designated within organizations and these roles are consistent across various organizations.
  4. Additional roles can be created within the organization template settings. These newly created roles will be applied and shared across all organizations.
note

πŸ’‘ In Logto, the organization template serves as an access control model tailored for organizations. While it's based on the RBAC (role-based access control) model, it differs from the API resource RBAC feature.

When you need to design roles and permissions specific to an organization, use the organization template (organization RBAC).

You can use both organization RBAC and API resource RBAC in Logto, allowing a more robust approach to meet your specific business and product requirements. For details on API resource RBAC, refer to this section.

Managing identities in organizations​

The organization template in Logto is intended to secure isolated resources at the organizational level, ensuring users in different roles have the right access.

You may notice that the organization template doesn’t define identity management, such as which role can invite or remove users in an organization, since it varis for different products and business needs.

While we are working on a productized solution for organization idenitty management, you can use the Management API to tailor a solution. For detailed guidance on using the Management API for this, please refer to this section.