Handling organization-wide permissions


I’m creating a B2B application, site and api for businesses to manage their fleet of vehicles. Each company may have a different set of access to predefined “modules” based on pricing etc.

For example, one company may have access to automatic service intervals and accounting, while another may have accounting and automatic leasing tracking.

Creating a vehicle requires the create:vehicle scope of course, but I would like to create a company-wide scope of some sorts to fine-tune what kind of information is allowed to be stored in my database.

I’ve tried setting company metadata, then extracting this as a custom claim for each login through an action, which could work, but I’m wondering if there is a better solution.

The idea is that you need both the “organization” claim, and the permission scope to perform an action.

Thank you.