Organization management
When developing a multi-tenant app, a common scenario is to have a platform for your organization members to self-manage their organization resources.
Let’s still take the basic organization setup that contains both an admin role and normal member role as an example.
| Role | Permissions |
|---|---|
| Admin | Manage organization members in the organization, e.g. invite, update member role, delete member, etc. Manage organization info, e.g., update organization name and custom data, delete organization, etc. |
| Member | Only able to invite users to the organization. |
So we can define the following organization template:
After organization template is set, you may also create a bunch of APIs in your service that call Management API under the hood to perform management actions in a specific organization. The APIs in your service should validate the organization token to ensure the user has the required permissions.
Examples of user self-manage their own organizations
Here are a list of things you can let your users do in your multi-organization app:
Let everyone invite members:
You can have both the admin and member users to invite others into the organization. Check this documentation for details about inviting member.
Admin can modify member roles:
The admin can have the privilege to modify other members’ roles. And admin can create more specific roles for the organization, such as department lead, project manager, coordinator, etc. This can be implemented with these Management APIs:
curl \
-X POST https://[tenant_id].logto.app/api/organizations/{id}/users/{userId}/roles \
-H "Authorization: Bearer $ACCESS_TOKEN" \
-H "Content-Type: application/json" \
-d '{"organizationRoleIds":["admin"]}'
Or in a bulk way:
curl \
-X POST https://[tenant_id].logto.app/api/organizations/{id}/users/roles \
-H "Authorization: Bearer $ACCESS_TOKEN" \
-H "Content-Type: application/json" \
-d '{"userIds":["userId1", "userId2"],"organizationRoleIds":["admin"]}'
Add bots to organization
You can also implement the feature to allow admin users to add bots to a specific organization. This can be done by creating Machine-to-Machine (M2M) apps first, and then adding these M2M apps to organizations as bots.
curl \
-X POST https://[tenant_id].logto.app/api/organizations/{id}/applications \
-H "Authorization: Bearer $ACCESS_TOKEN" \
-H "Content-Type: application/json" \
-d '{"applicationIds":["botAppId"]}'
Then you can also assign organization roles to these bots.
curl \
-X POST https://[tenant_id].logto.app/api/organizations/{id}/applications/roles \
-H "Authorization: Bearer $ACCESS_TOKEN" \
-H "Content-Type: application/json" \
-d '{"applicationIds":["botApp1"],"organizationRoleIds":["botRoleId"]}'
Unlock more possibilities with Management API
The examples above are just a few of the many possibilities you can achieve with Management API. Check out the full list of Logto Management API endpoints and see what else you can do with them:
Fetch organizationsFetch organization scopes
Fetch organization role
Fetch organization invitations