We are assessing using Auth0 as our customer IDAM product for accessing our commercial portals.
We want to allow a customer administrator to manage users and permissions for their own organisation. Each organisation could only manage its own users and only assign users roles/permissions that are we have configured for the organisation. (i.e the customer cannot create their own roles/groups, only assign its users to a predefined list).
We do not want to give customers access to the Auht0 dashboard or users page.
How would Auth0 approach this, I assume:
Each organisation would be its own group in the authorisation extension (note: there could be thousands of organisations)
The customers would use an SPA client that we have built that uses the Management and Authorisation APIs to add users and assign them to roles.
We also require that our own internal administrators are able to setup and administer customer and organisation accounts. I assume they would also need a separate SPA to do this.
A definitive answer would depend on knowing all the details and associated requirements. The approach that would for sure work would be the one you mention, more specifically the development of a client application that would apply the necessary logic to grant certain users the ability to manage other users within a given organization.
This application would call into the Auth0 Management API for user management and could also call into the Authorization Extension API if you chose to use the extension to model your authorization needs; an alternative would be to deal with authorization data within your own system and in that case you deal with Auth0 Management API and your own system API’s.
The same client application could also be used by your internal administrators as long as the application supports the features required by the two different user types. Also have in mind that SPA’s will have to delegate all the sensitive work to a back-end API because calling the Auth0 Management API requires a confidential client and SPA’s are public clients.
In conclusion, your described approach of implementing a custom application for user management seems adequate, but judging if it’s the most suitable is hard to do without all the details. In some simple scenarios you can save the implementation of your own user management application and just go with the delegated admin extension which also allows user management without actually needing access to the Auth0 dashboard, however, you would be constrained by the features available at the extension which may or may not satisfy your complete set of requirements.