Tesseral
Back to Guides

SaaS User Management: Tips and Best Practices

Ned O'Leary
Ned O'Leary
Cofounder and CEO, Tesseral

Managing users in B2B SaaS isn't easy. There's just an awful lot of stuff to manage. It can feel really overwhelming if you're just getting started. Trust me on this one. I talk to people literally every day about SaaS user management, and everyone has a hard time.

You're on the hook for getting your tenancy model right, building a login UI, building a settings UI, designing roles and permissions, scrutinizing your security posture, and more.

In this article, I'll hope to make your life a little bit easier. I'll cover a few really important tips and best practices that have emerged from our work with many SaaS companies.

Tips and best practices for SaaS user management

When people get SaaS user management wrong, it's usually for pretty predictable reasons. If you get these things right from the beginning, you'll be much happier.

In no particular order:

  1. Get your tenancy model right: always think in organizations. You will be very unhappy if you design logical isolation around individual users. SaaS applications are for businesses -- not consumers. You need your first-class tenants to be Organizations (or Workspaces, etc.). Users must always belong within Organizations.

  2. Know what you're getting into. There is simply no way around complexity here. User management and auth show up everywhere in your code and your user experience. There's just a lot of surface area. You need to build a ton of UI. You need your auth service to be fast -- because it's going to be a limiting factor for your app's overall performance. You even need a transactional email provider that delivers auth codes quickly and reliably to your customers' inboxes. Owning user management and auth is a ton of work.

  3. Try very hard not to invent things. Consumer software that operates at extraordinary scale (think of Facebook) sometimes needs to do radical, inventive stuff. This is nearly always a bad idea in business software. If you're inventing things, you're likely piling on technical debt that you'll regret later. In the worst case, you could be stumbling into very regrettable security problems. Nearly every problem you'll encounter in B2B user management has been solved before. Do your best to steal good ideas.

  4. Design a solid AuthZ foundation around sound RBAC design. I highly recommend avoiding complex policy engines for authorization. Don't get me wrong; there are absolutely SaaS applications that need something like Zanzibar. You're very unlikely to be one of them. Try very hard to design your permissions around actions that roll up into discrete user roles. RBAC isn't just admin and member. You can go a very long way using role-based access control!

  5. Read the docs. No, really. There is a correct way to do most things in B2B user management (see: try very hard not to invent things). If you are using a reasonably good library or service, you should find the correct answers in the documentation. If you don't find the answers you're looking for, you may be better off exploring alternative libraries or services. That said, some services just don't have great documentation, and you need to dig in. Here's an example: developers relying on claims from Login with Google continually use email as a unique identifier for users, even though Google explicitly says not to do this. If a user changes their primary email address in Google Workspace, these developers will see their Login with Google implementation break.

  6. Design security precautions around users' real behavior. You should anticipate that users are going to behave relatively poorly (in terms of security). Do what you can to protect your customers from themselves. For example, if you let users log in with passwords, you can't reasonably expect that the passwords they use for your service will actually be unique -- check breaches and don't let your users set passwords like "p@ssword."

  7. Anticipate the support experience. Be aware that you're never done with user management. You will have your support team ask for user impersonation. You will have your users change their email addresses (many people use these as unique IDs!). You will have customers ask for custom roles. You will have customers ask for custom auth behavior within their tenants (e.g., turning off magic link auth for their employees).

  8. Anticipate the enterprise. Big companies are brutal on user management. They have their own requirements. They will expect a litany of features from SAML SSO (or enterprise OIDC SSO) to SCIM provisioning. They'll expect that you can produce comprehensive audit logs for everything their employees do in your software. Some of them will want a private cloud or on-premise deployment (and the contract size will have stakeholders on your back).

There's a lot more, of course, but if you keep these tips in mind, you'll be in fairly good shape!

SaaS user management doesn't have to be hard

If you're handling SaaS user management yourself, you're signing up for a lot of work. You can make your life easier by using Tesseral. Tesseral is an open source user management and auth provider designed specifically for B2B applications. It anticipates all of the subtle, frustrating details that present themselves as your SaaS grows and accommodates increasingly complex customers.

In just a few lines of code, you can get started in just a day or two -- and you'll get all of the enterprise features you need with no extra effort.

About the Author
Ned O'Leary
Ned O'Leary
Cofounder and CEO, Tesseral
Ned is the cofounder and CEO of Tesseral. Previously he worked at Gem and the Boston Consulting Group. He writes about product design, identity, and access management. You can often find him at Baker Beach in San Francisco with his puppy, Fred.
Newsletter
Top Secret by Tesseral
Resources
Pricing
Docs
Blog
Security
Company
Terms of Use
Privacy Policy
Contact us
Schedule a Call
Social
GitHub
LinkedIn
X (Twitter)