Skip to main content

Module authorization

Introduction to module authorization

In a multi-tenant SaaS environment, you can allow your customers to have their own user administrators and application owners.

To facilitate this, tenants and module authorization are available in IAM. By setting up module authorization in IAM, you can limit or extend a tenant's access to IAM.

The combination of both features creates the most powerful option when an application in IAM is created per tenant: the customer's application owner will only be able to choose roles from the allowed modules to assign to user groups within their own tenant.


Keep in mind that the best solution for your organization might be different. Tenants can also be used without module authorization. Likewise, you can use module authorization to limit applications to specific modules without a tenant.

Roles for module authorization

To use module authorization with tenants:

  1. A Main administrator or an Application administrator needs to create an application per tenant so the modules can be limited per tenant.
  2. An Application administrator needs to assign an Application owner to an application.

This way, the Application administrator and Main administrator can see all the users and the tenant that a user belongs to.

See Administrator roles for more details on the available roles and rights in IAM.

Enable module authorization

main administrator application administrator

To activate Module authorization at the application level:

menu Authorization > Applications > tab Form

  1. Select the checkbox Limited module access.

    Enable module authorization Enable module authorization

  2. This activates the tab Module authorization. Go to this tab.

  3. Activate or deactivate modules for the application.

    Enable module authorization Activate or deactivate modules

Role availability in Module authorization

Module authorization directly impacts the available roles as defined in the Software Factory that may be assigned to user groups for this application:

  • Roles that are not a part of a module are always available.
  • Roles that are part of at least one authorized module, are also available.
  • So, if a role is only a part of unauthorized modules, it is not available.

Role availability can be checked in the menu Authorization > Applications > tab Authorization settings > tab Authorization > tab Roles.


The membership of a role outside of the granted modules will be inactivated, not deleted. Accidentally removing a module from an application and restoring it afterward is no problem.

Was this page helpful?