Assign roles based on resource instance of the same resource type

chetanbc · April 9, 2023, 2:45pm

My use case is as below:

I have resource called subscription. I want to add RBAC to do CRUD on this resource type.
But a user can be part of multiple subscriptions but has different roles in each of those subscriptions.(resource instance).

For example:
user1 is “admin” for “subscription1” but he is “manager” for “subscription2”. With RBAC I can’t find way to differentiate between the resource instance.

Please suggest how this can be achieved in auth0.

Thanks!

sylvainf · April 11, 2023, 9:57am

Hi @chetanbc

It sounds like the main challenge here is nesting / combining roles since these can differ for a single user across what you call Subscriptions. The “best” way to achieve this would depend on the amount of combinations between Subs and Roles. One thing you can try is using Rules, Organisations and roles. were Orgs would match your Subs. One way to do it would be to match your Subs and your Roles to Auth0 objects, like Organisations and Roles. For example, the snippet below checks if a User is part of 2 different Role groups:

  const roles = context.authorization.roles;
  if (!roles.includes("access") && !roles.includes("test")){
  	context.redirect = {url: "http://localhost:3000/redir"};
  }

It’s accessing the User’s role info using the Context Object Properties as documented here. Such an object is also available for Organisations. Therefore you could build similar rules based on an Org (Sub) and Roles.

Since Organisations is an Enterprise feature, if you don’t have an Enterprise plan, another option would be to create and assign Roles to users with a structure like “subscriptionName_roleName” (example Sub1_users, Sub2_admins, Sub1_managers etc.). This would require some preparation work but it sounds like a clean option if you automate it using the Management API (which has methods to manage Roles & Users and even Rules)

chetanbc · April 14, 2023, 1:30pm

Hi @sylvainf ,

Thanks for the reply.

I do not have enterprise plan. So I think I cannot use it.
And on the other approach you mentioned, I am not sure if its the right approach for me. Because in my use-case, our application can support 1000+ subscriptions and each subscription has 5 roles. So defining the separate roles for each of them is very brute-force approach.
And also if I assign 2 roles to a user like “sub1_admin” and “sub2_manager”, the JWT token (permissions claim) would not differentiate which permission is assigned to which subscription right? Or am I missing something here?

Let me explain my use case here:
currently I am using expressJs to implement apis and to access these apis, I want to check if the user has required permission or not , by checking the access_token.

app.get(“/getSubscription/:subId”, checkJwt, checkPermissions([‘read:sub’]), (req, res, next) => {
res.json(“You have permission!”);
});

Now in the access_token(permission claim), i can only see the permission (for ex: read:sub), but it doesn’t tell for which particular subscription the user has read permission to.

So I want to know if I can somehow bind the roles/permission to particular subscription rather than binding it directly to user. I want my access token to look something like below:

{
“iss”: ,
“sub”: ,
“aud”: ,
“permissions”: [
{“sub1”: [“read:sub”],
“sub2”: [“create:sub”]
}
]
}