Delegated Admin Dashboard Extension related questions

Aafreen_Khan · September 1, 2023, 10:46am

Hi there,

I am seeking answers to below questions regarding delegated admin extension.

Question 1: What is the usage of Delegated Admin Extension over the tenant level Roles ex. Editor role.
Also is there any other way to manage admin level roles apart from Delegated Admin Extension and providing tenant level roles?

Question 2: How will the dashboard admin access the delegated admin dashboard without having any Auth0 tenant level role assigned? When using the callback URL of the application tethered to Dashboard i am getting a white screen.

Question 3: What is the utilization of namespace URL in the delegated admin extension Rule below?

function (user, context, callback) {
if (context.clientID === ‘X5kxLGBDHplPRkIoKJXCS3Q0VkzO3ugk’) {
const namespace = ‘https://something.com/auth0-delegated-admin’;
context.idToken[namespace] = {
roles: (context.authorization || {}).roles
};
}
callback(null, user, context);
}

Now I am interested to know what is the standard way of deciding the namespace URL as per personalized requirements?

Question 4: As per docs the Rules will be deprecated in 2024 and Delegated Admin Extension is run on 2 rules (1 automatically created and 1 custom created). How is this extension supposed to work once after the rules are deprecated next year?

Question 5: In the delegated admin extension we do not have the permissions assigned to the 4 default extension roles(Delegated Admin - Administrator, Delegated Admin - Auditor, Delegated Admin - Operator, Delegated Admin - Operator) still I am getting appropriate permission according to the role selected in the dashboard.
How does it happen internally without binding of the permissions to these roles?

Awaiting eagerly for responses.

Thanks and Regards,
Aafreen Khan

eyablonowitz · September 1, 2023, 11:58am

I believe we experienced the same and the workaround was to set the OIDC Conformant setting in the delegated admin app settings to true.

We use Terraform to configure Auth0 and this is our app config:

resource "auth0_client" "delegated_admin" {
  name                          = "Delegated Admin"
  description                   = "Delegated Admin"
  app_type                      = "spa"
  callbacks                     = ["https://<tenant-name>.us.webtask.run/auth0-delegated-admin/login"]
  allowed_logout_urls           = ["https://<tenant-name>.us.webtask.run/auth0-delegated-admin"]
  organization_usage            = "deny"
  grant_types                   = ["implicit", "authorization_code", "refresh_token"]
  oidc_conformant               = true
  organization_require_behavior = "no_prompt"
  sso                           = true
}

Aafreen_Khan · September 1, 2023, 1:32pm

Hi @eyablonowitz

Thanks so much for your prompt response.
I will surely try that.

Regards,
Aafreen

Aafreen_Khan · September 4, 2023, 11:14am

Hi there auth0 community,

following up on above remaining questions.

Thanks and Regards,
Aafreen Khan

Aafreen_Khan · September 6, 2023, 6:10am

Hi @dan.woda @rueben.tiow @dawid.matuszczyk

hope you are doing well.
I was wondering if you can help me with above questions?

Thanks
Aafreen

dan.woda · September 6, 2023, 6:44pm

Hi @Aafreen_Khan,

Let’s see if we can answer your remaining questions.

Yes, we suggest using the built-in admin controls. i.e. Manage Dashboard Access

Namespace is a collision-safe convention that prevents the token from having multiple claims with the same key. More on it here: Create Custom Claims

It looks like rules should be able to translate to Actions in this case. (There’s an example in the doc )

I’m not sure I understand this question. Could you please provide more info, example, etc. Thank you!

Aafreen_Khan · September 7, 2023, 12:32pm

Hi @dan.woda

Thanks a lot for your response surely your answers have helped me. Unfortunately, I still have few doubts lingering around these questions.

Question 3: Thanks for explaining the namespace URL utilization and based upon that our understanding formed is that:

function (user, context, callback) {
if (context.clientID === ‘X5kxLGBDHplPRkIoKJXCS3Q0VkzO3ugk’) {
const namespace = ‘https://something.com/auth0-delegated-admin’;
context.idToken[namespace] = {
roles: (context.authorization || {}).roles
};
}
callback(null, user, context);
}

In the above code,
if (context.clientID === ‘X5kxLGBDHplPRkIoKJXCS3Q0VkzO3ugk’)
This line specifies the client id of the application used in the DAE.

const namespace = ‘https://something.com/auth0-delegated-admin’;
This line contains all the collision free claims of the DAE

context.idToken[namespace] = {
roles: (context.authorization || {}).roles
};
Now, the claims are passed to the oidc id token based upon the role of the user in the authorization core.

That is supposedly the way this namespace URL could be used kindly let me know if otherwise.
Sounds a bit odd, but we are still facing atrocity while deciding what should be the namespace URL for our case. Can you help us overcome this?

Question 4: I understand that the rules can be transformed to Actions. But there is a rule called “auth0-authorization-extension” which is automatically created as soon as we install the Delegated Admin Extension.
How will this rule transform into Action after the deprecation of Rules?

Question 5: For example while using Authorization core for RBAC we add certain permissions to the role through the API.
Here in the DAE, i see no single permission is added to the Role present in DAE still it works just as fine and as expected.

So i was curious to know the underlying working of the DAE role assignment to users without even the need of adding any permissions to it.
Attaching a screenshot of the DAE role configured as per docs without the permission added to it.

Thanks again and in advance.
Aafreen Khan

dan.woda · September 7, 2023, 6:24pm

This may be helpful:

Use a URL that you control as a namespace identifier; this allows you to avoid the risk that someone else is using the same namespace. The namespace URL does not have to point to an actual resource. It is only used as an identifier; it will not be called.

It can be anything, but best practice should be a URL you control and cannot be an Auth0 URL.

Can you provide an example? I have the extension installed and only have the one rule.

Also, I’m curious why you aren’t using the built in admin management?

Aafreen_Khan · September 20, 2023, 3:10pm

Hi @dan.woda

Thanks for your response on above questions, please find further details regarding these questions as below:

“Can you provide an example? I have the extension installed and only have the one rule.” -

This rule is created automatically as soon as we install the “Delegated Admin Dashboard Extension” and my concern is how will this Rule be transformed to Action after the rules being deprecated.

And the other rule which is custom created for the Delegated Admin extension is as follows.

function (user, context, callback) {
if (context.clientID === ‘XYZ’) {
const namespace = ‘https://something.com/auth0-delegated-admin’;
context.idToken[namespace] = {
roles: (context.authorization || {}).roles
};
}
callback(null, user, context);
}

“Also, I’m curious why you aren’t using the built in admin management?” -

Because we are still in the pre-implementation phase and trying to explore all the features be it tenant level access or DAE to find out a solution that can best suit our client requirements.

Also can you please have a look over the details in my previous post for question number 5 as asked by you.

Thanks in advance
Aafreen Khan

dan.woda · September 26, 2023, 2:23pm

There is an example of the equivalent Action here: Delegated Administration Extension v3.

It’s using the role itself to assign permissions. You can test this by mis-spelling a role, i.e. Delegated Admin - FooBar and you will notice it breaks the permissions.

Hope this helps.

Aafreen_Khan · September 29, 2023, 10:47am

Hi Dan,

Thanks for your answers they really helped.

Just a quick questions how can we manage devices in DAE? Actually couldnt find anything for this in docs.

Thans and Regards,
Aafreen Khan

Aafreen_Khan · October 4, 2023, 2:07pm

Hi Community,
@dan.woda

Gently following up on the above question regarding device management in Delegated Admin Extension.
Thanks a ton in advance.

Regards,
Aafreen Khan

dan.woda · October 4, 2023, 6:54pm

Hi @Aafreen_Khan,

Can you please give an example?

Aafreen_Khan · October 5, 2023, 11:59am

Hi @dan.woda

I am talking about the “Devices” tab in a user’s profile in DAE. Please refer the highlighted section in the screenshot below for your reference:
Can you please let me know how we manage devices for users in DAE? Because for my DAE Dashboard there is nothing appearing in devices tab. I would highly appreciate your help, Auth0 doc or any other reference will do.

Thanks and Regards,
Aafreen Khan

dan.woda · October 5, 2023, 12:55pm

Thanks for the additional information.

Here is a doc explaining how to manage devices for users:

Aafreen_Khan · October 10, 2023, 11:59am

Hi @dan.woda

Thanks for your help.
This doc just explains how we can unlink devices assigned to a user.
I am looking for the overall and complete device management of users in Delegated Admin Extension Dashboard and also in the Auth0 Dashboard as well.

Thanks and Regards,
Aafreen

dan.woda · October 10, 2023, 2:33pm

Can you please give an example of what you would like to do with devices?

system · October 24, 2023, 2:33pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.