2

I am trying to set up a scenario where there are "Group managers" that are responsible for creation and maintenance of accounts within the group, but that have no access to (can't even see) accounts not belonging to the group.

I am not succeeding, partly maybe because I can't find any description in the docs of what the built-in roles (user_manager, user_deleter etc) actually do.

My main issue is that regardless if I assign users to different groups or belonging to different tenants, any user with user_manager will see and be able to edit all users in all groups/tenants.

Ideas on how to accomplish this would be welcome.

Jesper We
  • 5,977
  • 2
  • 26
  • 40

1 Answers1

2

FusionAuth does not currently support this scenario within the FusionAuth UI. Anyone with admin or the user_manager role for example will be able to see all users in all tenants.

You could build these types of management operations outside of the FusionAuth UI using the APIs, and then if each tenant manager was assigned an API key scoped to their tenant, this would ensure they could not see users outside of their own tenant. There is an example of this in the Tenant Tutorial in FusionAuth docs.

The Group concept in FusionAuth is under a Tenant, the Group is mainly used to logically "group" users, or dynamically assign roles across one-to-many applications via group membership.

The Tenant Manager idea within the FusionAuth UI is on the roadmap, we are still identifying the complete use case and solution to the problem. If this is something you're interested in, please open a Feature on the FusionAuth Issues page and we can track the requirement and resolution there.

robotdan
  • 1,022
  • 1
  • 9
  • 17
  • 1
    Thanks for letting me know. I would suggest adding these clarifications to the docs, and also some descriptions of the predefined roles. I will try to write a clear use case for a feature issue. – Jesper We Mar 14 '19 at 19:49
  • Thanks @JesperWe, I've opened an issue to document these roles and to provide clarification on how they should be used. https://github.com/FusionAuth/fusionauth-issues/issues/90 – robotdan Mar 14 '19 at 23:11
  • I opened a feature request for you, please add comments if I have not covered your use case in the issue description. https://github.com/FusionAuth/fusionauth-issues/issues/91 – robotdan Mar 14 '19 at 23:18