Rediflow
English

Organisation visibility

We understand that different units in your organisation often need to see only their own projects and people. Perhaps you have departments that work in silos, or staff who should focus solely on their own assignments. Organisation visibility lets you control what each user sees—without locking anyone out of the settings they need.

This guide explains how Rediflow restricts projects and people by Authentik group, and how to configure it for your deployment.

What organisation visibility does

When organisation visibility is enabled, Rediflow filters what each user can see based on their Authentik groups:

  • Projects — Users see only projects where their organisation is the Project Owner Organisation (POO) or a partner.
  • People — Users see only people in the same top-level organisation as their own.
  • Global settings — Calendars, role types, feature flags, and other system-wide settings remain accessible to everyone. Visibility does not hide Settings; it only filters project and person data.

Admins and super-admins bypass these filters and see everything. You stay in control.

When to use it

Organisation visibility is useful when:

  • Different units own different projects — A university with schools and institutes; each unit sees only its projects and people.
  • Staff need assignment-only access — Employees who should see only the projects they are assigned to, not the full portfolio.
  • Compliance or privacy — You need to ensure that sensitive project data is visible only to the right people.
  • Reduced noise — Directors and managers want a focused view of their unit’s work, not the entire organisation’s project list.

If everyone in your deployment should see all projects and people, you can leave visibility off. The default is full access.

What users see

Visibility mode Projects People Global settings
Full (admins, or no visibility group) All projects All people Yes
Organisation-level Projects where user's organisation is Project Owner Organisation (POO) or partner People in same top-level organisation Yes
Assignment-only Only projects the user is assigned to People in those projects Yes

In all modes, users can access Settings, change their preferences, and use the organisation filter dropdown—but the dropdown shows only organisations they are allowed to see.

How it works

Visibility is driven by Authentik groups. When a user logs in, Rediflow reads their group names from the OIDC token and applies the corresponding visibility mode.

Group Effect
rediflow-admins or rediflow-super-admins Full visibility; see all projects and people
rediflow-visibility-org or rediflow-org-<short_name> Organisation-level visibility; see projects where user's organisation is Project Owner Organisation (POO) or partner
rediflow-visibility-assigned Assignment-only; see only projects the user is assigned to (requires Person linked to User)

The rediflow-org-<short_name> groups (e.g. rediflow-org-ACR) tell Rediflow which organisations the user belongs to. The short name must match an organisation in Settings → Organisations.

For OIDC (OpenID Connect) setup and how to create these groups in Authentik, see Authentik setup.

Organisation hierarchy

How visibility behaves depends on your organisation structure:

  • Flat structure — Each organisation is its own root (no parent). A user in rediflow-org-EXAMPLE sees only projects where EXAMPLE is Project Owner Organisation (POO) or partner. Sibling organisations’ projects are hidden.
  • Hierarchical structure — Organisations have parents (e.g. ACR → ACR-Energy, ACR-IT). A user in rediflow-org-ACR-Energy sees projects for ACR and all its descendants (ACR-Energy, ACR-IT, etc.). This reflects the idea that a branch shares visibility within the same top-level unit.

The organisation picker (filter dropdown) respects this: when visibility is enabled, it shows only organisations in the user’s branch. Users cannot switch to an organisation they are not allowed to see.

Configuration

  1. Enable the feature — Set PROJECT_VISIBILITY_ENABLED=true in your config file (e.g. .env.qa, .env.prod). See Configuration for where to set variables.

  2. Use Authentik — Organisation visibility requires OIDC (Authentik or similar). Ensure OIDC_ISSUER, OIDC_CLIENT_ID, and OIDC_CLIENT_SECRET are set. See Authentik setup.

  3. Create groups in Authentik — Create the groups listed above and assign users. Group names must match exactly (case-sensitive).

  4. Restart the app — After changing PROJECT_VISIBILITY_ENABLED, restart the application.

In the running app, go to Settings → Feature flags to see whether organisation visibility is on or off for your deployment.

See also

  • Authentik setup — Run Authentik, configure OIDC, and create groups
  • Feature flags — Enable or disable organisation visibility and other features
  • Help — In-app help for Authentik and project visibility