I have come across a scenario that needs a user to be assigned different role for each organization. When the user logs into the system, based on the organization they want to access (specified through the url or through requested scopes), I want to update scopes to limit to the permissions assigned to the role of that organization.
I have looked at “Authorization Extension” which has groups and I initially thought of using groups for each organization, but each organization cannot be assigned roles instead I need to maintain one group for each “organization-role”. The problem soon becomes a maintenance nightmare when I start updating permissions of a role, where I have to update permissions for each organization role. I have also some customization in terms of allowing users of certain organization to have access to any organization.
To make it easier and get the initial workflow working, I set the scopes for each organization on user app_metadata and based on the requested organization, I set the appropriate scopes. The problem with updating the role permissions comes back to bite in this case as well where anytime I update permissions on the role, I endup having to update all users with the role with latest set of permissions.
Ideally I would like to assign user a role for a specific organization in app_metadata of the user and at runtime pull the scopes that apply to the role and update scopes of the user in a rule. All this will become easier if I have access to the Management API from within rule.
Here are the earlier posts I’ve referred to, which are left un-answered.