Group-based role assignment

Manually assigning roles to users in your application can consume significant time for administrators. This becomes especially challenging in large enterprises where access requirements change frequently. Scalekit automates this process by enabling administrators to create workflows that automatically update your app with the correct user roles.

How group-based role assignment works

Organization administrators commonly manage varying access levels by grouping users based on their specific access requirements. For example, if you develop an application similar to GitHub with roles like maintainer, writer, and viewer, customer administrators can create user groups for each role within their directory provider.

SCIM user provisioning flow directory to Scalekit to your B2B app

Scalekit notifies your application when administrators create groups or add users to groups. This enables you to take necessary actions such as creating or modifying user roles as directed by the organization’s administrator.

Scalekit delivers normalized information regardless of which directory provider your customers use. This eliminates the need for you to transform data across different providers. Users can belong to multiple groups and may receive multiple roles in your application, depending on your role-mapping logic.

Set up automatic role assignment

To enable administrators to map groups to roles in your app, complete these steps:

Go to the Scalekit dashboard
Select “SCIM Provisioning”
Switch to the “Role assignment” tab
Register your app’s roles

How Scalekit works

The first role you create becomes the default role automatically. Users who don’t belong to any specific group receive this role when you create their accounts. To change the default role, navigate to the role settings, click the ”…” menu next to your preferred role, select “Edit,” and toggle the “Set as default role” option.

Choose clear display names and descriptions for your roles. This helps customers understand and align with the access levels in the admin portal.

Connect organization groups to app roles

After you create the roles, they reflect the roles in your app. Users receive role assignments based on the groups they belong to.

You can set up this mapping in two ways:

Set up mapping in the Scalekit dashboard on behalf of organization administrators. Select the ‘Organization’ and go to ‘SCIM Provisioning’ tab.
Share the admin portal link with organization administrators so they can set up the mapping themselves

Scalekit automatically displays mapping options in both the Scalekit dashboard and the admin portal. This allows administrators to connect organization groups to app roles.

Handle role update events

Scalekit continuously monitors updates from your customers’ directory providers and sends event payloads to your application through a registered webhook endpoint. To set up these endpoints and manage subscriptions, note the ‘Webhooks’ option in the Scalekit dashboard.

Listen for the organization.directory.user_updated event to determine a user’s role from the payload. Scalekit automatically includes a role property relevant to your app, based on the role information you configured in the Scalekit dashboard.

1
// Webhook endpoint
2
app.post('/webhook', async (req, res) => {
3
  // Extract event data
4
  const event = req.body;
5
  const { email, name, roles } = event.data;
6
  console.log('Admin added user to Viewer Group -> Scalekit informs Your App\n');
7

8
  // Destructure role_name from roles array
9
  const roleName = roles.length > 0 ? roles[0].role_name : null;
10
  console.log('Role name received:', roleName);
11

12
  // Logic to update user role and permissions
13
  await assignRole(roleName, email);
14
  console.log('App updated access for user:', email);
15

16
  res.status(201).json({
17
    message: 'Role assigned',
18
  });
19
});

1
from fastapi import FastAPI, Request
2

3
app = FastAPI()
4

5
@app.post("/webhook")
6
async def api_webhook(request: Request):
7
    # Parse request body
8
    body = await request.body()
9
    payload = json.loads(body.decode())
10

11
    # Extract user data
12
    user_roles = payload['data']['roles']
13
    user_email = payload['data']['email']
14

15
    print("User Roles:", str(roles))
16
    print("User email:", str(email))
17

18
    # Business logic to assign role
19
    await assign_role(roles[0], email)
20

21
    return JSONResponse(
22
        status_code=201,
23
        content=''
24
    )

1
@PostMapping("/webhook")
2
public String webhook(@RequestBody String body, @RequestHeader Map<String, String> headers) {
3
  ObjectMapper mapper = new ObjectMapper();
4

5
  try {
6
    JsonNode node = mapper.readTree(body);
7
    JsonNode roles = node.get("data").get("roles");
8
    String email = node.get("data").get("email").asText();
9

10
    System.out.println(roles);
11
    System.out.println(email);
12
    // Add role to user
13

14
  } catch (IOException e) {
15
    return "error";
16
  }
17

18
  return "ok";
19
}

1
mux.HandleFunc("POST /webhook", func(w http.ResponseWriter, r *http.Request) {
2
    // Read request body
3
    bodyBytes, err := io.ReadAll(r.Body)
4
    if err != nil {
5
        http.Error(w, err.Error(), http.StatusBadRequest)
6
        return
7
    }
8

9
    // Parse webhook payload
10
    var body struct {
11
        Data map[string]interface{} `json:"data"`
12
    }
13

14
    err = json.Unmarshal(bodyBytes, &body)
15
    if err != nil {
16
        http.Error(w, err.Error(), http.StatusBadRequest)
17
        return
18
    }
19

20
    // Extract user data
21
    roles := body.Data["roles"]
22
    email := body.Data["email"]
23

24
    fmt.Println("Roles: ", roles)
25
    fmt.Println("Email: ", email)
26

27
    w.WriteHeader(http.StatusOK)
28
})

Refer to all the directory webhooks you can subscribe.