If a user has the “Administrator” role for the application, at least the way mine is setup for my application, s/he still needs group access. I have a routine at the top of every single API call that checks group access. And if not valid, returns a NotAuthorized() type of HTML response to it.

At least in my .net core the line below would allow anyone with a role of Administrator or Editor to at least call the API. But inside that API code, I further restrict on groups you have to be a part of with my applications “SYSTEMNAME_ROLENAME” setup. So just being an Administrator role does not allow the rest of the functionality. But you must put that 2nd check into the API yourself the way I wrote this article up.

[Authorize(Roles = "Administrator,Editor")]

It does not work for every use case. It may be for the 1 person in multiple companies the 1 realm per “user” or “company” may work better. This article just explains one option as a talking point or workable example. I am using this in my application and it works well so far. A user can be “Administrator” and that lets them get to only 1 API call w/o the “group check” but every other single API call I have checks groups. And issues a NotAuthorized() if you are not in there. And logs it and pushes out an Audit log.