Enable Role-Based Access Control for User Roles in Organizations

Overview

This article provides steps to enable Role-Based Access Control (RBAC) for user roles within an Organization.

Applies To

  • Auth0 Organization
  • APIs
  • RBAC

Solution

To enable and utilize RBAC for user roles in Organizations:

  1. Enable the RBAC setting for the relevant APIs. This is the primary step for RBAC rules to apply to users in an Organization, similar to Core RBAC functionality.

  2. If the RBAC setting is not enabled for the API:

    • Any permission requested by the application for that API is passed through in the scope claim of the issued Access Token.
    • This default behavior can be modified using a custom policy within an Action. Use the api.accessToken.addScope(scope) or api.accessToken.removeScope(scope) functions in a Post-Login Action. For further details, refer to the documentation on the Post-Login API Object. See the following example below:
exports.onExecutePostLogin = async (event, api) => {
  // Example: Add 'write:documents' scope if user has 'editor' role

  const roles = event.authorization?.roles || [];

  if (roles.includes('editor')) {
    api.accessToken.addScope('write:documents');
    console.log(`User ${event.user.user_id} granted 'write:documents' scope.`);
  }

  // Example: Remove 'delete:everything' scope if requested (maybe too risky)
  if (event.transaction?.requested_scopes?.includes('delete:everything')) {
     api.accessToken.removeScope('delete:everything');
     console.log(`Removed potentially requested 'delete:everything' scope for user ${event.user.user_id}.`);
  }
};