I’m currently trying to evaluate whether or not Auth0 supports some of our complex use cases and was hoping to find some answers here. I work for a software company currently considering Auth0 as a possible AuthN/AuthZ provider, we’re satisfied that the AuthN side of things is exceptionally well catered for already but our use case for AuthZ is more complicated than any examples I can find in the docs and since I’m not perfectly familiar with how everything works I thought it best to ask for a hand before diving into implementation.
So we run a multi-tenant platform with some basic tenant relationships built in (e.g. tenant A may be a parent of Tenant B). We would like to support the following use cases for granting access to specific resources/tenants:
- User A has full access to all tenants (super admin)
- User B has full access to Tenant 1, Tenant 2 and tenant 3
- User C has limited access to Tenant 1 and Tenant 2
- User D has full access to tenant 1 and limited access to Tenant 2
All user access will be controlled by authorising requests to internal API endpoints which will have the full context of what the user is requesting and which tenant they are requesting it for.
My question basically boils down to is auth0 able to support each of the use cases laid out above and if so how would I go about configuring Auth0 to support these use cases.
Writing custom code is not a problem but we’re aiming to minimise the amount of custom code we have to write in order to minimise the time it takes to integrate a provider.
Thanks in advance,