Skip to content
Scalekit Docs

Group-based role assignment

Manually assigning roles to users in your application, such as viewer, member, editor, or admin, can be a time-consuming task for administrators, particularly in large enterprises where access needs frequently change. Scalekit streamlines this process by allowing administrators to establish workflows that automatically update your app about the roles to assign to users.

Introduction

Section titled “Introduction”

A common strategy that organization administrators use for managing varying access levels is to group users based on their specific access requirements. For example, if you are developing an application similar to GitHub with roles like maintainer, writer, and viewer, customer administrators can create user groups for each role within their directory provider.

SCIM user provisioning flow directory to Scalekit to your B2B app

Scalekit notifies your application when administrators create groups or add users to them, enabling you to take necessary actions such as creating or modifying user roles as directed by the organization’s administrator. Regardless of the directory provider your customers use, Scalekit delivers normalized information, eliminating the need for data transformation across different providers. A user can belong to multiple groups and, as a result, may be assigned multiple roles in your application, depending on your role-mapping logic.

Enabling group-based role assignment

Section titled “Enabling group-based role assignment”

To enable administrators to map groups to roles in your app:

  1. Go to the Scalekit dashboard
  2. Select “SCIM Provisioning”
  3. Switch to the “Role assignment” tab
  4. Register your app’s roles

How Scalekit works

The first role you create in your app becomes the default role automatically. This means users who don’t belong to any specific group will be assigned this role upon account creation. To change the default role, navigate to the role settings, click the ”…” menu next to the desired role, select “Edit,” and toggle the “Set as default role” option.

Listening to events

Section titled “Listening to events”

Scalekit continuously monitors updates from your customers’ directory providers and sends event payloads to your application via a registered webhook endpoint. To set up these endpoints and manage subscriptions, refer to the Scalekit dashboard documentation.

In this scenario, you will listen for the organization.directory.user_updated event to determine a user’s role from the payload. Scalekit automatically includes a role property relevant to your app, based on the role information configured in the Scalekit dashboard.

Webhook endpoint for role updates

// Webhook endpoint
app.post('/webhook', async (req, res) => {
  // Extract event data
  const event = req.body;
  const { email, name, roles } = event.data;
  console.log('Admin added user to Viewer Group -> Scalekit informs Your App\n');


  // Destructure role_name from roles array
  const roleName = roles.length > 0 ? roles[0].role_name : null;
  console.log('Role name received:', roleName);


  // Logic to update user role and permissions
  await assignRole(roleName, email);
  console.log('App updated access for user:', email);


  res.status(201).json({
    message: 'Role assigned',
  });
});