RBAC model for applications

[marcportabellaclotet-mt]

I want to create organizational groups in Authentik and assign specific "roles" that grant members the ability to view and use certain applications. For instance:

• Members of the group myorg/squadA/engineers should have application admin rights to view and use Application A and Application C.
• Members of the group myorg/squadB/engineers should have read-only access to Application A and Application B.

My goal is to avoid creating individual groups for each application and instead rely on user memberships in organizational groups.

I would prefer to utilize Authentik roles for this purpose; however, I’ve encountered a limitation where roles can only be associated with a single group.

As a workaround, I can implement a policy within the applications to scan all groups a user belongs to and check for the corresponding role. Currently, since roles are not viable, I am using custom attributes within groups. While this solution works, I'm looking for the best practice to achieve my goal effectively.

application policy example

orgGroups = request.user.ak_groups.filter(attributes__type='org')
for appRole in orgGroups:
  info = appRole.attributes["appRoles"]
  for it in info:
    if it["name"] == "appA" and len(it["roles"]) > 0:
      return True
return False

Here are the group attrbutes:

type: org
appRoles:
  - name: appA
    roles:
      - administrator
      - readonly