Manage access to B2B apps using roles

A business-to-business (B2B) application can allow organizations to manage a member's access to the application based on their role in the organization. This describes how to implement role-based access control (RBAC) for members logging into a B2B app. To learn more about RBAC, see How B2B auth works.

Before you start

Implement member login, which covers the basic B2B setup as well as authenticating members into B2B applications, see Login members.

Step 1: Create roles

Create the roles that can be assigned to members to control their access to your application. For example, an airline website can create a travel-agent role to give specific permissions to travel agents that book on behalf of users.

You can create roles from the Admin Portal (from Identity Management > Roles). Roles are managed on the application level, so make sure to first select the relevant application from the drop-down at the top of the page.

Note

Permissions can only be added to roles if the role is created via API. Otherwise, you can manage the permissions that correspond to each role in your own system.

Step 2: Create role groups

Role groups allow an application to control which roles an organization can assign to their members. Role groups are set of roles, where each role can belong to multiple role groups. Each organization is assigned one or more role groups, which determines which roles the organization is allowed to assign to their members.

You can create role groups from the Admin Portal (from Identity Management > Roles > Groups tab). Make sure to first select the relevant application from the drop-down at the top of the page.

Step 3: Assign role groups

Once role groups are created, they can be assigned to organizations per application. Organizations can only assign roles to a member for a given application if the role is included in a role group that was assigned to the organization for that application.

You can assign role groups from the Admin Portal from the organization's settings, which are found by selecting the organization from Identity Management > Organizations. From the Applications tab, click Assign roles in the row corresponding to the relevant application and then select which role groups to assign.

Step 4: Assign roles

The organization can assign roles to members using the Organization Admin Portal. This can be done when inviting the member to join the organization (see Invite members). Roles can also be assigned to invited/existing members from the Members page by hovering over the member's roles in the table, clicking the 3 dots that appear, and selecting Assign roles.

Note

The Organization Admin Portal is available at the domain configured in the application settings.

Step 5: Get roles

The application needs to determine the roles of a member to provide them with the relevant access. Member roles can be fetched via API or returned in the ID token upon successful authentication (if requested as a custom claim).

You can request roles in the ID token using the claims parameter to request the role_values claim. To do this, the authentication request should include the claims parameter with the following value:

Copy

Copied

{
   "id_token":{
      "role_values": null
   }
}

The ID token will contain the role_values as an array of role values. For example:

Copy

Copied

...
   "role_values": [
    "travel-agent"
   ],
...