Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow for "Single Tenant" self hosted instance that auto invites all users to a single Org #3967

max-cole opened this issue May 16, 2024 · 3 comments


Copy link

Is your feature request related to a problem? Please describe.

When self hosting flagsmith the owner of the instance might want to only manage a single org for all of their users, currently every user must be manually invited to the same org or share the same invite link. Flagsmith currently allows for oAuth via google and github in an ideal world there would be functionality such that the Flagsmith instance would effectively be a "single tenant org" where all users that successfully authenticate would be invited to this "default" org without having to share a link or mistakenly create their own org.

Describe the solution you'd like.

Functionally this might be done via env-var(s) on the API instance that would change api to:

Disable users from creating orgs (Already done via flagsmith on flagsmith)
Auto invite all users to some default org
Disable email/password signup (already done via ALLOW_REGISTRATION_WITHOUT_INVITE)
Force users to sign up via oAuth/SAML/SSO

The only requirement for this feature would be the auto invite but it might be useful to bundle/couple these changes from a security perspective so random people don't get auto invited to the org.

Describe alternatives you've considered

Users can log in but must then be invited to the org, this might lead to a user creating an org and using it without the ability for other users of that same instance to edit the Flags.

Additional context

Spoke to @dabeeeenster on the flagsmith discord around this feature. Happy to discuss this feature request any further.

Copy link

Thank you for this feature request @max-cole. We will look at it and prioritize it or reply with comments.

Copy link

I think this is a good idea - surprised it hasnt come up before. I'm not clear why there is a requirement to "Disable email/password signup" - we could lock down the app with the env var ALLOW_REGISTRATION_WITHOUT_INVITE ( which would maintain security?

Copy link

The call out for the disable email/password signup was more of a "tightly coupling this functionality or at least calling them out in the docs would help users maintain good security hygiene and prevent gun aimed at foot situations" vs a strict requirement. The auto invite is really the only missing element.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
None yet
None yet

No branches or pull requests

4 participants