Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow for "Single Tenant" self hosted instance that auto invites all users to a single Org #3967

Open
max-cole opened this issue May 16, 2024 · 3 comments
Open

Allow for "Single Tenant" self hosted instance that auto invites all users to a single Org #3967

max-cole opened this issue May 16, 2024 · 3 comments
Assignees
@matthewelwell

Comments

@max-cole
Copy link

Is your feature request related to a problem? Please describe.

When self hosting flagsmith the owner of the instance might want to only manage a single org for all of their users, currently every user must be manually invited to the same org or share the same invite link. Flagsmith currently allows for oAuth via google and github in an ideal world there would be functionality such that the Flagsmith instance would effectively be a "single tenant org" where all users that successfully authenticate would be invited to this "default" org without having to share a link or mistakenly create their own org.

Describe the solution you'd like.

Functionally this might be done via env-var(s) on the API instance that would change api to:

Disable users from creating orgs (Already done via flagsmith on flagsmith)
Auto invite all users to some default org
Disable email/password signup (already done via ALLOW_REGISTRATION_WITHOUT_INVITE)
Force users to sign up via oAuth/SAML/SSO

The only requirement for this feature would be the auto invite but it might be useful to bundle/couple these changes from a security perspective so random people don't get auto invited to the org.

Describe alternatives you've considered

Users can log in but must then be invited to the org, this might lead to a user creating an org and using it without the ability for other users of that same instance to edit the Flags.

Additional context

Spoke to @dabeeeenster on the flagsmith discord around this feature. Happy to discuss this feature request any further.
@novakzaballa
Copy link
Contributor

Thank you for this feature request @max-cole. We will look at it and prioritize it or reply with comments.

@dabeeeenster
Copy link
Contributor

I think this is a good idea - surprised it hasnt come up before. I'm not clear why there is a requirement to "Disable email/password signup" - we could lock down the app with the env var ALLOW_REGISTRATION_WITHOUT_INVITE (https://docs.flagsmith.com/deployment/hosting/locally-api#application-environment-variables) which would maintain security?

@max-cole
Copy link
Author

The call out for the disable email/password signup was more of a "tightly coupling this functionality or at least calling them out in the docs would help users maintain good security hygiene and prevent gun aimed at foot situations" vs a strict requirement. The auto invite is really the only missing element.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@matthewelwell matthewelwell

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@dabeeeenster @matthewelwell @max-cole @novakzaballa