Assign different roles for each organization


I have come across a scenario that needs a user to be assigned different role for each organization. When the user logs into the system, based on the organization they want to access (specified through the url or through requested scopes), I want to update scopes to limit to the permissions assigned to the role of that organization.

I have looked at “Authorization Extension” which has groups and I initially thought of using groups for each organization, but each organization cannot be assigned roles instead I need to maintain one group for each “organization-role”. The problem soon becomes a maintenance nightmare when I start updating permissions of a role, where I have to update permissions for each organization role. I have also some customization in terms of allowing users of certain organization to have access to any organization.

To make it easier and get the initial workflow working, I set the scopes for each organization on user app_metadata and based on the requested organization, I set the appropriate scopes. The problem with updating the role permissions comes back to bite in this case as well where anytime I update permissions on the role, I endup having to update all users with the role with latest set of permissions.

Ideally I would like to assign user a role for a specific organization in app_metadata of the user and at runtime pull the scopes that apply to the role and update scopes of the user in a rule. All this will become easier if I have access to the Management API from within rule.

Here are the earlier posts I’ve referred to, which are left un-answered.



Hi, @vedanth Welcome to the Auth0 Community!

I believe in that case you would be best off storing the relevant role in the app_metadata. You can then add this as a custom claim so your app can see what role the user has in their token when they attempt to interact with it. And then your rule can pick which role entry to pass on as a custom claim based on the connection or application the user is authenticating against.

Are these the steps you are following? Please let me know.

1 Like

Hi @lily.wisecarver, I have customized the solution a little bit so the application doesn’t have to deal with roles and instead only handles scopes. So I actually populate the scopes in the claims when generating the token. To fetch the scopes, I query the Auth0 management API using an application credentials for scopes assigned to a role.
This would have been easier if the token in the role can access more management APIs than what it currently can access so I dont have to generate the token to call the management APIs.