I’m building a multi-tenant B2B SaaS application. This system uses RBAC across various api’s and web-apps. I’d like for only users with certain Roles to be able to create other users with certain roles. Example:
Super Admin (Me, or someone from my team) can create/edit a user with any role for any organization
Admin (organization admin) can create/edit a user with the Admin role, Manager role, or User role
Manager can create/edit a user with Manager or User role
User can not create/edit any type of user.
Users with any role cannot create or manage users for other organizations.
For this type of flow, does it make sense to create somewhat of a proxy-api to the management api, where more fine-grained controls can be implemented? I checked out the pre-registration hook, but my understanding is that the creating-user’s information (role, app_metadata) is not included in the request context. Additionally, it seems that hook is more for when a user is registering themselves, and not necessarily when the user is being created in the database by a different user (via the management api). Is there other native/standard Auth0 functionality that I’m missing? Or would a custom API be my best bet?
That is correct that the pre-registration hook will not cover all sign up scenarios such as using social connections, etc. However, you may want to use a rule for this as described here: How do I add a default role to a new user on first login?
The role will be assigned the first time the user authenticates no matter how the user is created.
However, since you do have so many different types of roles, managing users through the Managment API could be preferable for you. You can use the /api/v2/roles/{id}/users endpoint to assign roles, or you can use the ManagementClient Management API SDK’s assignRolestoUser method.