RBAC/ABAC in circle based organization structure

Hi folks,

I have a client that is organizied in circles and roles (holocracy or sociocracy). In Okta I can add custom properties on user profiles, add groups and we can use group rules to assign users to specific groups ie. based on the user’s properties. So far…

Following example :clipboard::

  • There are two Circles: A and B
  • In Circle A, the user has a Role ADMIN
  • In Circle B, the user has a Role TEAM
  • Role ADMIN should give him admin permissions for the context of Circle A
  • Role TEAM should give him only normal permission

I though about creating two groups for each circle ie. :building_construction::

  • group-circlea-admin (contains the user)
  • group-circlea-team
  • group-circleb-admin
  • group-circleb-team (contains the user)

With more then >40 circles and with more then 5 or 6 roles (roles are almost the same in each circle, sometimes they have specialized and additional roles) in each circle that would give me >200 groups. :thinking:

Did some of you guys already had a similar requirement? I mean, the most companies have hierarchical and fixed job-roles that should give then a more static way of working in different tools.

I know that OpenID and scopes could give me more flexibility, but they have more then 30 apps that only provide SAML or LDAP authorization and most of them just support user->groups structure.

Any ideas 💁 ?

I think you have hit the best way to achieve this if the intention is to manage users at that granular of a level.

An attempt at role mining may get you some level of reduction in group assignments or a means to set a consistent level of access across several job functions or logical groups. In theory each Circle is a unique set of membership/permissions, but in practice that is rarely the case.