Overview
This article provides steps to enable Role-Based Access Control (RBAC) for user roles within an Organization.
Applies To
- Auth0 Organization
- APIs
- RBAC
Solution
To enable and utilize RBAC for user roles in Organizations:
-
Enable the RBAC setting for the relevant APIs. This is the primary step for RBAC rules to apply to users in an Organization, similar to Core RBAC functionality.
- Roles must be assigned to users within their specific Organization. This differs from Core RBAC, where roles are typically assigned at the tenant level.
- When a user authenticates in the context of an Organization, only the roles assigned to that user within that Organization are applied.
-
If the RBAC setting is not enabled for the API:
- Any permission requested by the application for that API is passed through in the
scope
claim of the issued Access Token. - This default behavior can be modified using a custom policy within an Action. Use the
api.accessToken.addScope(scope)
orapi.accessToken.removeScope(scope)
functions in a Post-Login Action. For further details, refer to the documentation on the Post-Login API Object. See the following example below:
- Any permission requested by the application for that API is passed through in the
exports.onExecutePostLogin = async (event, api) => {
// Example: Add 'write:documents' scope if user has 'editor' role
const roles = event.authorization?.roles || [];
if (roles.includes('editor')) {
api.accessToken.addScope('write:documents');
console.log(`User ${event.user.user_id} granted 'write:documents' scope.`);
}
// Example: Remove 'delete:everything' scope if requested (maybe too risky)
if (event.transaction?.requested_scopes?.includes('delete:everything')) {
api.accessToken.removeScope('delete:everything');
console.log(`Removed potentially requested 'delete:everything' scope for user ${event.user.user_id}.`);
}
};