Hi everyone, I am pretty new to Ory and digging into it. So far I like it a lot! I'd like to use Ory cloud for our SaaS which is a B2B solution. On the application side our product is built for multi-tenancy. Looking at authentication, obviously a user shall be restricted to their own organisation and only access data within their tenant. Additionally there shall be super-users that can add / modify / delete other users inside that organisation. How would you tackle this? In Ory cloud I see the option to create several projects (I am also unsure if I pay the pro-plan per project then). This helps with separation, but still does not solve the super-user use-case. So, I thought about using Keto to ensure people only access their tenant. But concerning the super-user feature the solution is still unclear to me. The only idea I had so far is to write an own service, that provides the super-user functionality (while checking if the user is allowed to perform such an action via Keto and then executing the action inside the service via the admin API using a Personal Access Token). Am I on the right track with my approach or is there a simpler solution to my problem that I missed?

Great questions! • Yes, you can create multiple projects - often used for multiple domains - and identities/user data is isolated in each project/tenant • Managing users for super-users works via the Admin APIs. You need a Personal Access Token (PAT) for that (https://www.ory.sh/docs/concepts/personal-access-token). (As you have figured out) You would have different PATs for different projects. • Yes, Plans are per-project at this time, so the monthly base price is chargeable for each project. • The approach via a dedicated superuser API that uses Ory Permissions to validate access before calling the Admin API sounds great to introduce fine-grained permissions.

thanks a lot @fast-lunch-54279 for your quick and helpful reply! 🎉 And I have to add that Ory really has a great community what I've saw here so far. Great to be here.

Great to have you here in the community @dazzling-lock-68691 ! 🙂 If I may ask, what are you working on? I always find it interesting to see what people use Ory for 🙂

Of course @high-optician-2097 🙂 I work for a Startup based in Bern (CH) called Hypt: https://join-hypt.com/en We have a product in the after-sales area. We collect feedback of customers and make it easy to recommend it to personal contacts, which we say is kinda digitalising word-of-mouth and this without massive user tracking ✌️ Ory is used to secure the customer-portal which shows the collected feedbacks 📊 We found many ways and industries to use it. So technically Ory cloud could use it too 😉

Awesome, thank you so much for the context! If there’s anything we can do, we’re happy to jump on a call. Just let me know 🙂

that's really kind! thanks @high-optician-2097 🙏😎