Hierarchical Role-Based Access Control

Flat RBAC works until your customers have structure. As soon as you need regions, departments, or teams, flat roles stop working. Permissions don't cascade. Access becomes manual. Every new node means more assignments. Canopy solves this with hierarchical RBAC: roles assigned at a parent node automatically apply to all descendants.

Start Flat. Add Hierarchy When You Need It.

Every environment starts as flat RBAC with a single root node and environment-wide roles. When your customers grow, add regions, departments, or teams. Existing role assignments automatically cascade. No migrations. No data rewrites. No code changes. If needed, revert back to flat at any time. Canopy consolidates assignments automatically. This is your strongest adoption path: start simple today, evolve without rebuilding.

Real-World Example: Regional SaaS Customer

A SaaS platform with enterprise customers needs regional managers with access to all offices in their region, store managers with access to one location, and department leads with access to specific teams.

With flat RBAC

  • Dozens of manual assignments per region
  • Every new office requires re-assignment
  • No way to scope visibility per region

With Canopy

  • Assign 'Regional Manager' at 'West Region'
  • Permissions apply to every office and team below
  • No duplication, no maintenance

Downward Inheritance

Assign a role at any node and permissions cascade to every descendant. A regional manager assigned at 'West Region' automatically has access to every office, team, and project underneath, without creating duplicate assignments. Add a new office under a region? It immediately inherits the regional manager's permissions. Zero configuration.

Scoped Evaluation

Ask Canopy 'does this user have permission X at node Y?' and get an instant answer. Evaluation considers direct assignments, inherited roles, and the full hierarchy path. One API call, deterministic result.

Flat RBAC vs Hierarchical RBAC

Flat RBAC
Hierarchical (Canopy)
Role scope
Org-wide
Any node in the tree
Inheritance
None
Permissions cascade downward
New nodes
Manual re-assignment
Automatic propagation
Visibility
All or nothing
Scoped to assignment point
Structure
Breaks with growth
Designed for it

Visual Management

Build and manage your hierarchy through the dashboard. Drag nodes to reorder, assign identities at any level, and see inherited access at a glance, no engineering required.

Ready to simplify access control?

Create an account and have authentication and hierarchical access control running today.

Canopy