Skip to main content

Define organization management features

Before designing your organization experience, list the key requirements for your multi‑tenant app. This chapter highlights a few essentials to consider when shaping that experience.

Define access control within organizations

In this scenario, within a tenant, organization admins can update user roles, while regular members cannot. (By contrast, creating an organization is a system‑level action any end user can perform in a SaaS multi‑tenant app.) To support this level of granular access control, define organization permissions and roles so that only admins can update roles within an organization.

note:

Check out the Organization template to learn more about organization roles and permissions.

The admin role has full access to all resources in the organization, while the member role has limited access. For example, each role can have permissions such as:

  • admin role:
    • read:data - Read access to all organization data resources.
    • write:data - Write access to all organization data resources.
    • delete:data - Delete access to all organization data resources.
    • invite:member - Invite members to the organization.
    • manage:member - Manage members in the organization.
    • delete:member - Remove members from the organization.
  • member role:
    • read:data - Read access to all organization data resources.
    • write:data - Write access to all organization data resources.
    • invite:member - Invite members to the organization.

You can do this easily in the Logto Console. Setting up access control is a key part of your organization (multi‑tenant) architecture.

Enable users to self-manage their organizations

Your app may also need several management features. To build these, use the Logto Management API. Below are common features and related API endpoints. In the next chapter, we’ll walk through how to implement them step by step.

Allow admins and members to invite others

Both admins and members can invite others into the organization. See Invite organization members for details.

Admins can modify member roles

Admins can modify other members’ roles. They can also create more specific roles for the organization, such as department lead, project manager, coordinator, etc. Implement this with these Management APIs:

curl \
 -X POST https://[tenant_id].logto.app/api/organizations/{id}/users/{userId}/roles \
 -H "Authorization: Bearer $ACCESS_TOKEN" \
 -H "Content-Type: application/json" \
 -d '{"organizationRoleIds":["admin"]}'

Or in a bulk way:

curl \
 -X POST https://[tenant_id].logto.app/api/organizations/{id}/users/roles \
 -H "Authorization: Bearer $ACCESS_TOKEN" \
 -H "Content-Type: application/json" \
 -d '{"userIds":["userId1", "userId2"],"organizationRoleIds":["admin"]}'

Add bots to organization

You can also allow admins to add bots to a specific organization. Create machine‑to‑machine (M2M) apps first, then add these M2M apps to organizations as bots.

curl \
 -X POST https://[tenant_id].logto.app/api/organizations/{id}/applications \
 -H "Authorization: Bearer $ACCESS_TOKEN" \
 -H "Content-Type: application/json" \
 -d '{"applicationIds":["botAppId"]}'

Then you can also assign organization roles to these bots.

curl \
 -X POST https://[tenant_id].logto.app/api/organizations/{id}/applications/roles \
 -H "Authorization: Bearer $ACCESS_TOKEN" \
 -H "Content-Type: application/json" \
 -d '{"applicationIds":["botApp1"],"organizationRoleIds":["botRoleId"]}'