Dashboard admins have no admin permissions

My co-worker created the tenant (we’re on developer-pro right now), and added me as admin. I can update/configure everything in the dashboard. Now we want to enable user-management (among other things) for some support employees, but after adding them as admins they don’t have any rights to do so.

Neither the tenant account owner nor me see any way to configure these new admin accounts. We’ve also tried deleting and adding them again. I also read the documentation about this (https://auth0.com/docs/get-started/dashboard/manage-dashboard-users) but frankly, I don’t see how the support-only users are able to handle issues with users having authentication issues, by just creating new tickets? We already have our own ticketing system, just exposing the user management to support colleagues should be enough.

So long story short: why do admins not get admin rights?

Hi @p.kruithof,

Welcome to the Community!

If you want to give a set up support staff permission to manage your users you can do so with the delegated admin extension. Please take a look and let me know if this does not fit the bill:

Thanks for responding.

After several attempts of deleting the admin, and adding them again, it looks like we finally found the steps to fix this: after deleting the admin we had to make sure that the admin is then logged out before accepting the new invite. Also it seems like they have to have access to all applications, not just the one that they have to manage.

I still have some questions about how this works, which we cannot find in the documentation or it’s unclear about. If you (or someone else) could answer those that would really help us.

  • We have two applications: 1 for the web app with just the API permissions needed, such as read/create users. The other application has more permissions and is used as a machine-to-machine app to configure the other application via code (we have a deployment script with all settings and prompt translations, etc.). Only having access to all applications will enable an admin to actually manage users. Is this always the case?
  • One thing I thought about was that maybe our web app did not have enough permissions by itself for an admin to do user management. But it can create/update users, and these admins did not see a “create user” button. Are the permissions of admins derived from application permissions, or are they defined somewhere else?
  • Another suggestion was that maybe this admin also had a user account for the application itself, with the same email address, and that that was blocking permissions to do admin stuff. Are admin users completely separated from application users, or do they relate to each other somehow?
  • The documentation says we can configure admins, but I don’t see any edit/configure link or button anywhere. Just a button to create/delete them. Is the documentation wrong or are we missing something?

:thinking: Did you see the delegated admin extension I linked in my first response? It allows you to set up an admin that can only deal with user management as you described.

If you give ‘all applications’ permissions, they will be a full admin.

Application-specific admin’s permissions are outlined in our admin doc:

" Application-specific access includes the following:

  • Read and write access to the specific application configuration
  • Read access to enabled connections for the application
  • Ability to configure add-ons for the specific application
  • Read (not write) access to all user records "

No. There is no overlap, those are completely separate databases. They are similar in name/email only.

This is answered by the doc you linked. You are creating an application admin, which can only maintain your application settings, not manage users. That is what the delegated admin extension is for. :point_up:

Yes, you are missing the delegated admin extension that allows you to create admin that manage users. I linked it in my first response. I would give that a look before moving forward :eyes: :

As far as whether adding, deleting, granting application permissions or full permissions is considered configuring or not, I’ll leave that up for debate. :smiley: