I want to implement authorization in my MERN stack application, we are using the Auth0 in our application as third party service for the OAuth. I have implemented the authentication using the Auth0 but facing issue implementing Authorization. I am facing issue, how we can give different permissions to the different peoples on the basic of project. And that permissions can changed to persons if the project is changed, lets say, person A is tester in one project but he can also lead-tester in other project. I am proving a brief information of the application I am working on, In Our application we are registering the projects, project is application came to us for the security testing of that application. In the project we have different sections like detect vulnerabilities/issue found in the security of that project, checklist used to test that project and create report on overall vulnerabilities found in that project and remedies of that vulnerabilities. Inside that application I want to give the permissions to perform a different task to different people on the basis of the role access provided for that particular project. So person can perform the only actions on the basis of role assigned to him. In our application currently we have 3 roles namely tester, lead-tester and CSM, Each role have the following the permissions, tester: tester have a permissions like he can report issue/vulnerability, edit the vulnerability details and toggle the checklist point which he tested for the application.
lead-tester: lead-tester have permissions like create the report, edit the report, submit the report, toggle the status of the vulnerability, and all permissions of the tester.
CSM: CSM have permissions like add client to particular project, edit client details, create and edit the new project, create and edit the report and also he can change the brief of the project.