Can a user manager be limited to manage only users of certain groups?

Question

I am trying to set up a scenario where there are "Group managers" that are responsible for creation and maintenance of accounts within the group, but that have no access to (can't even see) accounts not belonging to the group.

I am not succeeding, partly maybe because I can't find any description in the docs of what the built-in roles (user_manager, user_deleter etc) actually do.

My main issue is that regardless if I assign users to different groups or belonging to different tenants, any user with user_manager will see and be able to edit all users in all groups/tenants.

Ideas on how to accomplish this would be welcome.

Answer 1

FusionAuth does not currently support this scenario within the FusionAuth UI. Anyone with admin or the user_manager role for example will be able to see all users in all tenants.

You could build these types of management operations outside of the FusionAuth UI using the APIs, and then if each tenant manager was assigned an API key scoped to their tenant, this would ensure they could not see users outside of their own tenant. There is an example of this in the Tenant Tutorial in FusionAuth docs.

The Group concept in FusionAuth is under a Tenant, the Group is mainly used to logically "group" users, or dynamically assign roles across one-to-many applications via group membership.

The Tenant Manager idea within the FusionAuth UI is on the roadmap, we are still identifying the complete use case and solution to the problem. If this is something you're interested in, please open a Feature on the FusionAuth Issues page and we can track the requirement and resolution there.