Hi there! I’ve been assigned the task of authenticating a system I am working on and the authentication has some rather strange requirements. Hopefully somebody on here has some tips, thank you in advance.
Our user base is comprised of various different companies and their employees. Some of these companies are the owners of resources. In the first instance I need to provide a way of allowing these resource owning companies to grant access to their resources to other companies (as well as being able to access their resources themselves).
This cross company access requirement makes me think it would be better to approach this as a multi-tenant solution rather than having to have multiple realms and copy configurations around.
Hopefully this diagram can make the situation clearer:
Each of the aforementioned companies needs to be able to manage their own users, probably through some sort of admin role / user. In essence this means they should be able to add / remove / grant privileges within their company (group?).
It is obviously important that administrators cannot elevate their access possibly into other companies resources. I am aware of the fine grained admin permissions technical preview, however I am yet to figure out how to make it work in a way I’d expect.
I have played around with a few approaches. What I primarily think could work is having a client for each resource owning company to capture which resources they are responsible for, then a group for each company so they can theoretically manage their own users.
Please let me know if anything is unclear, thank you.