How do I model nested or hierarchical Groups?

Groups in Stormpath are flat in nature; you can think of them like labels for your Accounts. While native support for hierarchical Groups (Groups nested within Groups) is on our roadmap, it can be easy to achieve the same effect in Stormpath today using conventions.

Here are the two approaches we’ve seen work well and recommend:

1. One convention is to use the Group’s description field to keep track of its location in a Group hierarchy. You can choose a character like ‘/’ or ‘.’ to indicate hierarchy depth. For example, consider the following Group example:

  “name”: “Northeast US Sales”
  “description”: “US/US East”

In this case, the description value indicates that the ‘Northeast US Sales’ group is a child of the ‘US East’ Group. Additionally, we can also see that the ‘US East’ Group is a child of the ‘US’ group.

This simple convention allows for some convenient functionality. Suppose you wanted to query Stormpath for all Groups in the US. This becomes a simple pattern matching query:


Similarly, you could find all groups in the US East region only:


One thing to be aware of with this approach however: if you rename any Group that has children groups, you must update the hierarchy path in each of the children Groups (and any of their children, and so on) to reflect the new name-based hierarchy.

2. Alternatively, some developers use the customData resource (which can be attached to either an individual user Account or a Group). You can store any permissions in a schemaless JSON Block, such as

"role" : "Sales", 
"geography" : "NorthAmerica", 
"region" : "East" 

Keep in mind that customData is not yet searchable. If you plan to query for specific roles, you should consider using Groups instead. Read more about working with customData here:

Custom Data using the REST API
Custom Data using the Java SDK
Custom Data using the Node.js SDK
Custom Data using the Python SDK
Custom Data using the Ruby SDK
Custom Data using the PHP SDK

Have more questions? Submit a request



Please sign in to leave a comment.