How to build flexible authorization for multi-tenant B2B SaaS

B2B SaaS products typically begin with basic roles like admin and member, but as customer demands grow for more granular access controls, the authorization model becomes increasingly complex and difficult to manage. This complexity often manifests in four stages: flat roles, permission flags, role explosion, and patched RBAC, making it challenging to update access logic and onboard enterprise customers. To address this, the guide suggests building a scalable authorization model from the start, using WorkOS RBAC for organization-level access and WorkOS FGA for resource-specific control. By employing resource hierarchy with FGA, roles can be assigned at specific nodes in a resource tree, allowing for precise access without creating numerous custom roles. This hierarchical approach ensures permissions flow down the hierarchy, providing comprehensive control while maintaining efficiency. The model integrates with identity providers for automated role assignments and offers a two-layer enforcement strategy: JWT for organization-wide access and API calls for resource-level permissions. This setup allows for incremental adoption, starting with RBAC and extending to FGA as needed, supporting scalability without the need for a complete rewrite.