Define which organizations can access app

I have multiple organizations and multiple applications all within one tenant.
I am trying to only allow certain organization to access certain apps.
I can’t find a way to do so, is it possible?

Hi @eric.krief, application entitlement can be achieved using a Post-Login Action.

You can see the organization parameters that are exposed in the event object when an end-user is logging in with an Organization here: Actions Triggers: post-login - Event Object.

You could use a list of Organization IDs to gate access, or use organization metadata for a more maintainable approach… I added an example starting point below.

/**
 * @param {Event} event - Details about the user and the context in which they are logging in.
 * @param {PostLoginAPI} api - Interface whose methods can be used to change the behavior of the login.
 */
exports.onExecutePostLogin = async (event, api) => {
  if (event.client.name === "Protected App") {
    if !(event.organization && event.organization.metadata && event.organization.metadata["subscription"] === "paid")
      api.access.deny("Access to this application requires a paid subscription.");
    }
  }
};
1 Like

Hi Adam, thanks for the quick reply!
Would you consider this approach secure?

Hi @eric.krief,

I can tell you that (at the time of writing this) the only time the organization object will be present on the event is when:

  1. An end-user has successfully authenticated with a connection that is enabled for the provided organization and
  2. The end-user is either a member of the organization or the enabled_connection has auto-membership defined.

“Secure” depends on a lot of factors so I recommend taking a holistic approach to defining what is and isn’t acceptable for your use-case, and also taking a look at our docs: Secure.

1 Like

Thank you Adam for helping us on this front!