Identity Management
Identity Management in OctoMesh Refinery Studio allows you to manage users, roles, groups, OAuth clients, identity providers, and email domain group rules for your tenant. All identity management features are accessible from the sidebar under the Identity section.
Navigation
The Identity section in the sidebar contains:
| Menu Item | Required Role | Description |
|---|---|---|
| Users | UserManagement | Manage user accounts and credentials |
| Roles | UserManagement | Define and manage roles |
| Groups | UserManagement | Organize users and assign roles via groups |
| Clients | UserManagement | Configure OAuth client applications |
| Identity Providers | TenantManagement | Set up external authentication providers |
| Email Domain Rules | TenantManagement | Automatic group assignment by email domain |
| Admin Provisioning | TenantManagement | Grant parent tenant users access to child tenants |
You need the UserManagement role to see the Identity section. Some pages require the TenantManagement role and are only visible if you have that role assigned.
Concepts
Authentication vs. Authorization
- Authentication verifies who a user is — handled by identity providers (local login, Google, Azure AD, LDAP, etc.)
- Authorization determines what a user can do — handled by roles and groups
Role-Based Access
OctoMesh uses role-based access control (RBAC). Every action in the platform is gated by one or more roles. Users receive roles either through direct assignment or through group membership.
Groups and Role Inheritance
Instead of assigning roles to each user individually, you can create groups with roles and add users to those groups. This is the recommended approach for managing permissions at scale.
Group "Engineering"
├── Roles: Development, CommunicationManagement
├── Members: alice, bob, charlie
└── Child Group: "Engineering Leads"
├── Roles: TenantManagement
└── Members: alice
In this example, alice receives Development, CommunicationManagement, and TenantManagement. bob and charlie receive Development and CommunicationManagement.
Identity Providers
Users can authenticate using external identity systems (Google, Microsoft, Azure Entra ID, LDAP, Active Directory) or through cross-tenant authentication via an OctoTenant provider. Each tenant configures its own set of providers independently.
Workflow Overview
┌────────────────────┐ ┌──────────────┐ ┌──────────────────┐
│ Identity Providers │ ──► │ Users │ ──► │ Role Access │
└────────────────────┘ └──────────────┘ └──────────────────┘
Configure login methods Register/manage Direct assignment
│
▼
┌────────────────────┐ ┌──────────────┐
│ Email Domain Rules │ ──► │ Groups │
└────────────────────┘ └──────────────┘
Auto-assign on login Bundle roles
- Set up identity providers: Configure how users authenticate (local, Google, Azure AD, etc.)
- Create groups with roles: Define permission bundles for different user types
- Set up email domain rules (optional): Automatically assign new users to groups based on their email domain
- Manage users: Create users, assign them to groups, or let them self-register via identity providers