Get User permissions within an organisation

We have users who can be assigned to multiple Auth0 organisations. Under these organisations they can have different permissions setup depending on the role chosen at the point of invitation.

For our application, we need to answer a seemingly simple question of “What permissions does this user have in a given organisation?”

Unfortunately looking though the documentation there’s no simple way of answering this question at the moment without a series of separate Management API requests.

I was hoping that the Get User Permissions API would return a list of permissions derived from the organisation, and the source property for each permission would be the organisation that they’re a member of.

The way we’re having to do it currently is:

As you can imagine this is terribly expensive. Is there another way?

1 Like

Hi @nicky.thorne,

Would adding this data to the user’s tokens solve this? You should be able to get the roles and permissions of the org the user logged into through the tokens. Take a look at this doc:

If this isn’t a solution, please take a moment to elaborate on your use-case.

Hi @dan.woda,

Unfortunately that won’t work for our use case, because the user may not be authenticated against the organisation that we’re checking the permissions for.

In our app a user can be member of multiple organisations. Given that the current token will only contain permission data related to the organisation the user currently logged in to, we need a way of retrieving the users permissions for a given org that they’re attempting to access. Although ideally a single call that can give us all of the users’ permissions, with an indication on where the permission was sourced from (which would be an organisation membership in this case).

For example,

  1. User A authenticated against Org 1. They also have membership roles in Org 3, and Org 4
  2. We have API endpoints that allow an Organisation (our entity) to be updated. We need to use RBAC here to check if the current authenticated user has access to the organisation they are attempting to update (which may not be the one they’re authenticated against).
  3. In order to do that we ideally need an API call to fetch all the permissions the user has in the organisations they are members of. But there isn’t a suitable API for doing that at the moment.

We essentially need a way to introspect the users organisational permissions programatically.

We have thought about how rules can help us here, and we could add the organisation permission to the token as custom claims, but we still need to retrieve that data.

Any advice you give would be greatly apprechiated!

Thanks.

Thanks for elaborating.

I understand the issue here. I can’t find a way to retrieve all of the user’s permissions, including ones from seperate organizations and roles in a single API call.

Adding them to the token as a custom claim in a rule could potentially be more costly (in terms of management API rate limit) than making calls from your backend, as rule will run on every successful authentication (silent auths, refresh token requests, etc) vs. only requesting this data when needed.

Unfortunately, I don’t see a better solution than the one in your initial post. You can create a Feature Request for this if you would like.