Fine grained application access - best approach?

We have a single sign on requirement where we want fine grained programmatic control over access to SPA applications with their own API’s.

When we create a user we want to set which application(s) it has access to.

In some instances an admin account will have access to all applications where are some users will only have access to one application. It looks like there is no way of specifying which applications a user has access to through the Management Api.

Whats the best way of achieving this?

These look like they are only useful when tying a user to a set of applications and you can only have one connection per user. Given the number of applications we will have its not practical to have a connection for every combination of applications a user may need access to.

This won’t work as we will have a large number of applications and want to share users between them.

We could store the list of applications the user has in AppMetadata (Apps[‘app1’, ‘app2’, ‘app3’]) then use a rule to turn these into claims which we then check on the Api side. This might be the best solution?

Create a permission for the Api (access:allowed), then create a role (App1Access) and add the ‘access:allowed’ permission. We can then use the Assign User Roles endpoint to set those up.

None of these options feels quite right - are we missing something?



1 Like

Hey there @stephen.adam, I apologize for the delay in response!

We actually are in the initial steps on putting some documentation together on this front that should be available in the future.

I would love to find out more details from you on why you don’t feel using roles, like the Role Based Access Control (RBAC) doesn’t feel quite right?

RBAC grants you the power to narrow down your users to roles and grant them access to the resource that fit the privileges.

If you have any questions or would like to dive deeper into this together I am more than happy to help!

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.