
Show HN: RoleUp – Simple Identity Management - roleup
https://www.roleup.io
======
roleup
Hi, I'm the founder of RoleUp. It's a simple identity management service for
small to medium teams that don't want to deal with LDAP or complex identity
providers.

We have about 20 integrations right now, but we'll be adding many more over
the next month.

Let me know what you think or if you have any questions.

------
roleup
If you're curious, we now have a demo at:
[https://demo.roleup.io](https://demo.roleup.io)

Check it out

------
pmessana
This looks great, any chance you have a list of integrations coming soon,
specifically looking for DataDog.

~~~
roleup
Thanks.

Datadog is actually already supported, and you can see a full list of current
and planned integrations here:
[https://app.roleup.io/integrations](https://app.roleup.io/integrations)

If you want to be notified of new ones, there is a link on that page you can
use to subscribe for integration updates.

We won't spam you.

------
ehacke
Why not just use Okta or something?

~~~
roleup
You could do that, it's just way more complicated to setup and maintain.

TBH, I basically got the idea for this after spending most of a day trying and
failing to get Okta to work. Not to mention the vagueness of their pricing.

I'm sure Okta is great for large companies, but it's just way too much
complexity for what should be a rather simple problem for small teams.

For the teams I've lead, all I've wanted is just a simple service that lists
the accounts in each SaaS, and allow you to create and remove accounts.

So that's what I built.

------
effervescentia
is there a limit to the number of teams or team members that this service can
support?

~~~
roleup
It can sync as many accounts as you have in the integrations you connect. The
billing is done based on usage, so you only pay for what you use. It's $0.60
USD per synced account per month.

Any admins you add to RoleUp itself are free.

------
chatmasta
Looks nice, and solves a problem. But you're entering a really difficult niche
against strong competition from auth0 and Okta.

Personally, I'm a "roll your own auth" kinda guy. I have trouble justifying
offloading a core part of my infrastructure to a third party, especially if it
has a per-user cost and I have a free tier or am not charging users.

If I _were_ to choose "buy" in the "build vs. buy" of an auth system, it would
be for internal apps only. My number one criterion would be finding a reliable
provider that will still exist in five years. Based on that, if I'm choosing
between Roleup, Okta and auth0... I'm not going to go with Roleup. And even if
there are some awesome features you have that they don't, you don't have a
free tier to try them out.

Here are my suggestions:

\- Eliminate the free trial and replace it with a free tier (something like
free for your first 1000 users). Let me sign up immediately, and funnel me to
the dev docs. Do not make me confirm my email before I can even see anything.

\- Find a way to differentiate from Okta/auth0 beyond "we're simpler than them
because we're missing so many of their features." You can't compete on
features right now; their products are just far too developed. But you can
differentiate on price. Their biggest weakness is per-user pricing. Would-be
entrepreneurs see that, imagine their successful product, and extrapolate how
much it'll cost them 2 years down the line. Play into those hopes; show them
that your service will never cost more than a few hundred a month.

\- Consider offering a self-hosted version. There are many approaches to
pricing/licensing for this.

\- Consider open sourcing core parts of the implementation (maybe everything
except the dashboard), or making a commitment that you'll open source the code
if you ever shut down the company.

\- Focus on authentication for internal apps where 100% uptime 24/7/365 is not
as critical a feature as it is for user-facing apps.

\- Target the marginally tech-savvy founders of fast growing, small startups
who have a bunch of internal tools made by contractors, and want to make some
kind of admin dashboard for them

\- Build out integrations in as many languages as possible (things like
passport.js strategy for logging in via Roleup)

\- Make it clear what "integration" means in the context of Roleup on your
landing pages. For SEO, you probably want a landing page per integration. For
each one, show screen shots of the integration and using it. This page [0] is
great, but it's still unclear to me what "integration" means in this context.
Does an integration with Zoom mean I can use my Zoom account to log into an
internal app via Roleup? Or does it mean I can use my Roleup account to
authenticate with Zoom? What does the process look like for devs, and for
users? (EDIT: Just saw you have this for slack. I could barely see the
"Details" link FWIW. Bring this info forward!)

\- Setup at least one demo administration node (maybe more if you want to
automate setting up for users) pre-filled with data. Make "try demo" your
landing page call-to-action. Give the user a functioning admin dashboard with
a bunch of accounts that resets its data every hour. Make sure the demo shows
how it works for both admins and users.

\- Give people reason to trust you with their most sensitive credential data.
You're a brand new company run by one person -- why should I let you handle my
users' credentials? Where is the security documentation? About page? Who are
you? Why should I trust you?

Good luck! You've picked a challenging product.

[0] [https://app.roleup.io/integrations](https://app.roleup.io/integrations)

~~~
roleup
This are all great points, really appreciate it.

Before I respond to the individual stuff, I'll define some of the
functionality because you rightly point out that it might be a bit vague.

At a high level, RoleUp uses OAuth or API keys to connect to different
services and pull in the details of all the user accounts it finds. Depending
on the service, each integration can: \- list accounts \- create/remove
accounts \- list memberships of those accounts (any groups, teams, orgs, etc)
\- list the roles of those accounts (developer, admin, owner, cloud-
function:viewer, etc)

Then those accounts are grouped by email into identities that you can manually
adjust if you want.

But it doesn't provide an identity service itself, I don't offer single-sign
on. I just help with managing accounts and onboarding/offboarding people.

In terms of security, all credentials are encrypted at rest, and in transit,
and only decrypted by the application immediately before being used to call
the target service. On top of that, it uses Google's KMS for key management,
and all keys in the system are auto-rotated every 30 days.

\- In terms of cost, my initial thoughts were that it would be easier for the
customer to manage if it's just an inexpensive usage-based plan, rather than
having the whole thing randomly stop working when they cross the threshold of
some tier.

\- That said, I see what you are saying. Firstly people expect a tiered model,
and without that, it's a bit scary because they can't visualize the cost.
Also, even if their whole shop is going to cost them only $10 a month in
usage, they won't know that until they sign up and get the bill. So a free
tier, with middle limited one, and upper unlimited would probably be best.

\- Definitely had considered the self-hosted option, but kicked that can down
the road. It wouldn't be too difficult at this point though. It can work with
basically any DB the way it's written and requires minimal resources.

\- Open source too is fine. If anything, maybe preferred for me tbh.

\- In terms of "auth for internal services", I think that's a point of
confusion. I tried to summarize at the beginning.

\- And yeah, already on the demo idea. I need a lower barrier to allowing
people to try it out.

\- Good point about the integrations, I was relying on people trying it to see
how it works, but I can see why that's too high a bar.

\- And I thought about the security page, but had not gotten to it. It's
something I put a lot of thought into, and I was going to do a sort of
technical series of blog posts on the subject to show the architecture and the
choices I made. But you're right. Even just a simple page explaining that
everything is encrypted with auto-rotating keys would be useful.

\- Another thing I considered in order to deal with the security concerns, is
to just 100% end-to-end encrypt all user data and credentials. It wouldn't
actually require too much modification to how the system is designed, but it
would mean that syncing could only happen if an admin was logged in and
provided the key, or if they made their key available via a webhook or
something.

