Custom Instance Role for Safe Organization Creation
Hi
I run a self-hosted ZITADEL instance and want a safe workflow for creating organizations via my backend.
The built-in IAM_ORG_MANAGER role is too broad (it includes org.delete, user management, etc.).
Is it correct to create a custom IAM role in RolePermissionMappings with minimal permissions, for example:
org.create
org.write
org.member.read
org.member.write
(optional) project.create / project.write
and use it for a service account that only creates orgs and assigns an owner, but cannot delete orgs or manage users?
Or is there a better/recommended approach in ZITADEL for this use case?
I run a self-hosted ZITADEL instance and want a safe workflow for creating organizations via my backend.
The built-in IAM_ORG_MANAGER role is too broad (it includes org.delete, user management, etc.).
Is it correct to create a custom IAM role in RolePermissionMappings with minimal permissions, for example:
org.create
org.write
org.member.read
org.member.write
(optional) project.create / project.write
and use it for a service account that only creates orgs and assigns an owner, but cannot delete orgs or manage users?
Or is there a better/recommended approach in ZITADEL for this use case?
