Users and Teams
A user is described by:
- an identity
- permissions on performing actions over resources
Permissions are computed on the fly based on policies, roles and teams.
Roles
A role defines a set of permissions a user has. Once again, the user's policy is the core entity: it can specify different roles over different resources for any user.
Roles are typically used to set base permissions for users: these are then extended through teams membership or explicit permission granting over resources.
Teams
Teams are groups of users, usually sharing some commonalities. Any team can include users with different roles, and a user can belong to multiple teams.
In practical terms, assigning permissions through roles or teams is the same. Choosing the best strategy depends on your use case: usually, the simplest setup is to use roles as job titles (admin, user, ...) and teams as departments (manufacturing, sales, ...)
You can also create teams of tenants.