Auth0 Home Blog Docs

Authorization Core - Number of Roles

Our application is multi-tenant which has proven to be a bit of a challenge with Auth0. I think we’ve got it working now using the new Authorization Core RBAC stuff which is great, but the way we implemented roles makes me wonder if we’re set up to have a problem in the future, so wanted to ask people here who might know!

The challenge with multi-tenancy in Auth0 is there’s really no way to tell which tenant(s) a user belongs to. Our solution has been to prepend a tenant abbreviation to the roles for that tenant - like TNT01.readonly_user. The challenge with this is that our “normal” 6 roles get repeated over and over for each tenant. Our application is (now) able to manage these so it’s not too big of a problem, but I am curious how well Auth0 will handle the number of roles as they grow to hundreds and thousands. Doesn’t seem scary per se, but I don’t want to find out later that I’ve been digging a hole in which to bury us!

I thought about using user_metadata for Tenant assignment, but really I need to know tenant roles at the same time so there’s not much point in doing it outside the “proper” RBAC channels.

1 Like

Roles like templates for user management.
For your case better to use permissions like ‘access:application1’, ‘read:application2’.
Then you can assign any number of permissions to every user or use Roles to do it simpler.

Thanks for replying, I"m not sure I understand your suggestion though. Permissions are a little different since they can be assigned directly to the User directly or to a User through Roles, but we’d end up with the same issue - needing a separate group of permissions for every Tenant with some way (like naming) to differentiate which permissions belong to which Tenants.

Maybe I’m missing something.

Perhaps I do not fully understand your task but Tenant is logical unit that completely isolated.

No tenant can access the instance of another tenant, even though the software might be running on the same machine (hence the logical isolation).

Therefore tenants have isolated user databases and all settings from my point of view.
In that case you can create 7th tenant like master-tenant with all users, roles and metadata but this looks too complicated for me.
P.S. I am using different tenants for Production and Staging, with multi-applications in every Tenant.

Ah, I see now. I’m not referring to Auth0 Tenants - we have (and are) a single Auth0 Tenant. My application itself is multi-tenant internally. So, each customer (business) has their own “protected” space even though it’s all running within the same application.

Often with SaaS products this is done with a unique subdomain per customer (i.e. cust.yourdomain.com) but our application is served from a single domain. Since Users are onboarded to a single Auth0 Tenant, I then need a way to know which user(s) go with which Tenant(s) on my side. Hence, our Role naming scheme of TENANT.role_name.

I’m not sure there’s a great way to handle what we’re doing at the moment, but we have seems to work okay. I’m just concerned about the longer-term growth of the number of Roles/Permissions.

@mikahb Did you find a solution for your challenge yet? I’m looking at a similar case for our app.