I’m building a multi-tenant B2B SaaS application. This system uses RBAC across various api’s and web-apps. I’d like for only users with certain Roles to be able to create other users with certain roles. Example:
- Super Admin (Me, or someone from my team) can create/edit a user with any role for any organization
- Admin (organization admin) can create/edit a user with the Admin role, Manager role, or User role
- Manager can create/edit a user with Manager or User role
- User can not create/edit any type of user.
- Users with any role cannot create or manage users for other organizations.
For this type of flow, does it make sense to create somewhat of a proxy-api to the management api, where more fine-grained controls can be implemented? I checked out the pre-registration hook, but my understanding is that the creating-user’s information (role, app_metadata) is not included in the request context. Additionally, it seems that hook is more for when a user is registering themselves, and not necessarily when the user is being created in the database by a different user (via the management api). Is there other native/standard Auth0 functionality that I’m missing? Or would a custom API be my best bet?
Thanks in advance for any assistance