The HasuraCon 2024 CFP is open! Submit your talk

/

/

hasura-header-illustration

Implementing Authorization for Organization-based, Team-based, or Tenant-based Apps in Hasura

Table of Contents

Introduction
Example Data
Relationships
Permissions
Query Results

Introduction

This blog post is the first in a 2-part series that aims to outline how to model a common organization-based permission system in Hasura. Keep your eyes peeled for the second part for a walkthrough of a clonable sample repo that you can use to model similar permissions systems.

The problem being solved is:

"In my application, I have a 'group' and entities that belong to group(s)."

"Each entity in the group should only be able to see/interact with other entities in the same group(s)."

This is a common pattern in applications and in this article we'll take a look at one of the ways you can solve it. Our solution will use nothing but Hasura's standard permissions system and authorization rules.

This approach and principle works for any "group"-like structure, such as:

Teams
Organizations
Tenants in a Multi-tenant app
Chat group-messages, & more!

Let's assume that you have some table structure like the following:

Table Name	Columns	Foreign Keys
`user`	`id`, `name`, `email`
`organization_user`	`id`, `user_id`, `organization_id`	`user_id` -> `user.id`, `organization_id` -> `organization.id`
`organization`	`id`, `name`

Example Data

Here we have example users:

John & Jane belong to Organization ID 1
Frank belong to Organization ID 2

We create the following database records:

user

hasura-org-permissions-user-table

organization_user

hasura-org-permissions-org-user-table

organization

hasura-org-permissions-org-table

Relationships

We create the following relationships on our data:

user

hasura-org-perms-user-relations

organization_user

hasura-org-perms-org-user-relations

organization

hasura-org-perm-org-relations

Permissions

And provision the permissions like such:

user

hasura-org-perm-user-perms

organization_user

hasura-org-perm-org-user-perms

organization

hasura-org-permissions-org-perm

Query Results

Now when we query with our X-Hasura-User-Id set as User 1 and 3 respectively, we can see only those users in our own organizations:

Querying as John (User ID 1, Org 1)

query-as-user-org-1

Querying as Frank (User ID 3, Org 2)

query-as-user-org-2

Voila! We've successfully implemented an organization-based authorization system using Hasura!

The previous article in our authorization cookbook explains how to implement a hierarchical Google Drive-style permission system in Hasura using ACL.

If you have any questions or want to share your thoughts on the topic, reach out to us on Twitter / Discord / GitHub Discussions.

Technical Evangelist, Hasura.

21 Oct, 2021

3 MIN READ

Share

Blog

21 Oct, 2021

Related reading

Remote Table Authorization

20 Nov, 2023

4 MIN READ

Introducing Remote Table Authorization: Write permission rules across all your data

We are thrilled to introduce our latest feature: Remote Table Authorization. With Remote Table Authorization, you can now use data from different sources to perform authorization checks on any table.

24 Aug, 2023

4 MIN READ

Introducing Single Sign-on for Hasura Console

We're excited to announce the Single Sign-on (SSO) solution for Hasura Console. You can integrate existing SSO identity providers (IdP) with Hasura GraphQL Enterprise Engine to enable authentication.

10 Aug, 2023

4 MIN READ

Building dynamic ABAC authorization for banking

In this technical blog post, we explore how to implement a dynamic ABAC authorization system for the banking industry using Hasura's powerful GraphQL engine.

Hasura

Platform

Hasura CE Edition

Capabilities

Build

Learn

Company

Connect

Community

© 2024 Hasura Inc. All rights reserved