I need to get a user’s permissions that are based on roles they are assigned within the context of a particular organization. There is a Management API end point to get a user’s permissions that are assigned to a user outside the context of an organization, but this endpoint does not return any permissions that a user may have as a result of a role assignment they have within an organization.
I am aware that organization-derived permissions can be made available in a user’s access token via RBAC settings. However, I need programmatic access to the permissions via an admin account (i.e. via the Management API).
I am also aware that one can derive these permissions “manually” by querying the user’s roles within the organization, then by querying the list of permissions for each role, but this is costly in terms of Management API rate limits/quotas.
Is there a single end point that can be called to get a user’s permissions within an organization?
PS: What I am ultimately trying to do is get access to a user’s organization-derived permissions from within an Auth0 Rule, Action, or Hook. As far as I know, the only way to get any of the permissions (but only the ones derived from roles assigned outside an org) is by calling the Management API.
Thanks for your reply @rueben.tiow. Your two-step approach makes sense for how to solve this problem.
FYI, I did see this other feature request, and this endpoint would be useful for me for other reasons, but my endpoint request is slightly different: rather than providing a role and getting the users that belong to that role in a given organization, I am looking to provide a user and getting the permissions that belong to that user in a given organization. But I understand that your two-step solution above can accomplish this, it’s just that I’d rather be able to accomplish this in a single Management API call as opposed to a Management API call plus an additional Management API call for each role. (Maybe there’s a way to cache these calls to get permissions for each role without resorting to a Management API call each time?)