1. Docs
  2. Introduction

Introduction

Authorization that actually matches how organizations work

Overview

Canopy is hierarchical identity and access management for B2B SaaS. It lets you model real organizational structures, regions, departments, teams and assign roles at any level, with permissions that automatically inherit through the hierarchy. Instead of building custom authorization logic, your application asks:

 Can this user do this action in this part of the organization?

And Canopy answers it.

The problem

SaaS product starts simple:
Admin Manager Viewer

That works until your customer has structure.

Now you need:
Regional managers with access across multiple locations Department heads with scoped authority Permissions that evolve as the organization grows
Flat RBAC breaks:
Access must be assigned repeatedly Nothing inherits Every structural change requires engineering work

So teams build custom authorization systems.

The Shift

Canopy replaces flat RBAC with hierarchical authorization:

Assign a role once at a parent node Permissions cascade automatically to all children Organizational structure becomes your access model

No duplication. No drift. No rewrites.

Why This Is Different

Most platforms stop at authentication or flat roles. Canopy is different because it combines.

Hierarchical RBAC

Permissions inherit through an org tree of any depth

Visual control plane

Non-engineers manage access without touching code

Flat → hierarchical evolution

Start simple, scale without migrations

Who Uses Canopy

Developers

Integrate the API, define permissions, and stop building authorization systems from scratch.

Operators

Manage hierarchy, assign access, and debug permissions without engineering.

End Users (Identities)

Use your product. They never see Canopy but everything they can do is powered by it.

Two Separate Systems

Canopy is intentionally split into two independent systems:

Platform (Admins)
Admin users log into the dashboard Configure hierarchy, roles, and permissions Can belong to multiple accounts
Product (Identities)
End users of your application Belong to a single account Receive roles and permissions through the hierarchy
Admins configure access. Identities are subject to it.

This separation is what keeps the system clean and scalable.

How It Works (High-Level)

Follow basic setup
  1. Define your permission catalog
  2. Create roles
  3. Build your organization hierarchy
  4. Assign roles at nodes
  5. Evaluate permissions at runtime
Under the hood Canopy
  1. Walks the hierarchy lineage
  2. Resolves role assignments
  3. Applies inheritance
  4. Returns a structured decision

This is powered by the authorization engine described in the architecture.

What You Stop Doing

With Canopy, you no longer need to:

Hardcode access rules Duplicate role assignments Build custom org models Debug permission logic manually
Canopy is what RBAC should have been: hierarchical, flexible, and usable at scale.
Environment
On this page
Canopy