How to model authorization parameters for subjects?


I’m new to Kratos a need an advice.

I have a case where each user of the system can be part of a organisation and can have a role in it (admin, normal member, etc).

I thought that I should add this in identity schema as traits:

        "staff": {
          "type": "array",
          "items": {
            "type": "object",
            "properties": {
              "org": {
                "type": "string",
                "pattern": "^[a-z0-9_-]+$",
                "minLength": 1
              "role": {
                "type": "string",
                "enum": ["admin", "member"]

However, when I use selfservice node app to register such user, the kratos registration flow asks for these role fields in the form. Of course, I do not want to ask a registering user to specify their role and in which org, I want to do this in the backend code.

I could perhaps remove the staff fields from the set of required fields, but I am afraid this is just hiding the problem visually, and I am opening some sort of security hole here - the kratos api server expects to be given this information.

Should I mess with the fields required by the self service flows? I guess I shouldn’t. But then - how should I add these pieces of information to user data? I am clearly missing something here. Help!

Ok so I think the answer is: Kratos is not the place to put authorization data, the user–>org mapping should be managed in another system

1 Like


Is there a recommended approach or existing solution where to store the user->org mapping?

No it really depends on your system and environment and context :slight_smile: