Inspired by complex IAM and RBAC, multi-tenant to multi-org relationships.

• Org Stack
  • Goals
  • Reading
  • Design
    • Auth service
      • POST /organisation/create
      • POST /organisation/{}/user
        • How to handle existing user at this stage?
      • PATCH /organisation/{}/user

• Create organisation flow which creates a default admin user as the person filling in the form
  • Admin user, and only the admin user, can add more users to the organisation
• An admin for an Organisation can add a user that already belongs to an organisation

• Basics of RBAC with appsync and cognito: https://theburningmonk.com/2021/03/the-case-for-and-against-amazon-cognito/
• Advanced custom multi-tenant to multi-org: https://theburningmonk.com/2021/03/how-to-secure-multi-tenant-applications-with-appsync-and-cognito/
• Further group level controls for Cognito: https://theburningmonk.com/2021/09/group-based-auth-with-appsync-lambda-authoriser/

An authentication service should sit in front of a single cognito user pool.

The cognito user pool will store users login credentials.

Each user will belong to a parent organization parent_org_id, which is immutable, in the JWT claim.

The user would have a role, and those roles would need to be specific to each organisation, therefore using cognito groups would not be possible, as Admin role for the parent organisation, would override a readonly role for a child organisation.

Create an organisation and an admin user.

Store the parent_org_id in the JWT claims and put it into a dynamoDB record for ORGANISATION.

Redirect to sign-in on success.

Create a user inside the organisation with the chosen role.

1. This user exists, invite them to join your organisation instead.

Add an existing user to the organisation.

This should create a token that suppresses claims for the other organisation.