search

goauthentik / authentik

The authentication glue you need.
https://goauthentik.io
Other
7.82k stars 599 forks source link

Feature Request: Allow multiple parent groups #6202

Open JanKoppe opened 12 months ago

JanKoppe commented 12 months ago

Is your feature request related to a problem? Please describe. Our current SSO directory structure is a bit unusual - we're not working with a tree of groups, but rather a DAG of groups. This makes management in many cases much, much easier, as you can re-use groups of people as members of other groups much easier. Think of central groups, that should be included in many other groups. I'm not aware of any Identity solutions that support this natively: Neither AWS SSO (our current solution, does not even support any nested groups), Keycloak (only tree-like structures with multiple child-references) or authentik (only tree-like structures with single parent-reference) support this.

If authentik would support group structures that resemble DAGs, it would be a stand out feature that allows much more flexibility in organizing your directory.

Describe the solution you'd like The simplest solution would be to allow multiple parents on a single group. A solution that would be more easy to navigate is to instead allow multiple children on a group, without the restriction of a group having at most one parent (compare Keycloak).

Describe alternatives you've considered Our current solution to this (while still on AWS SSO) is to manage this DAG externally and render it out to simple groups without hierarchy. We want to get away from this. Another option would be to directly assign central groups to bindings where required, but this would take away many of the comforts that you get from nested groups. In our special case, nested groups would become almost useless in that case.

Additional context https://goauthentik.io/docs/user-group/group#hierarchy https://www.keycloak.org/docs/latest/server_admin/#proc-managing-groups_server_administration_guide

zanderson-aim commented 12 months ago

Just looking for this as well. Similar setup, but thinking more about Roles for staff. Here is a basic example

Groups Linked to Apps

Roles

I would to setup the following relationship. That way when I onboard a new user I just need to put them in Group/Role that is the position. Down the road if I add new app (newapp_ro, newapprw) I just need to add those to the role* and people currently in the role are granted permission.

role_it

role_dev

CoderessDiana commented 9 months ago

I very much support those ideas! I'm desperate for an easier group/role management, that would make our onboarding/enrollment process much more convenient.

sveatlo commented 4 months ago

+1 for this. Coming from FreeIPA, this is the only feature I'm currently missing.

Tygo-van-den-Hurk commented 2 weeks ago

+1 as for me as well! It would make it so much easier to edit and maintain premissions in bluk. As there been any work around or progress on this so far?