Getting roles of each user issue

Hi there, we are having performance issues using RBAC as our means of managing authentication within our application.

For a bit of context, we are currently using the core RBAC roles/permissions provided by auth0 for our application. Since currently the core does not provide a concept of ‘groups’ unlike the authorization extension, we manage this ourselves by storing an ‘organizationId’ on a users app_metadata, which works just fine.

In our application, we display a list of users and their roles. To accomplish this, we first call the management API and call the GET /api/v2/users endpoint, where we also specify app_metadata.organizationId:${organizationId} as a query search param using the search engine to make sure we only get users for the organizationId in their app_metadata. This has worked fine. Unfortunately, each user does not come with their ‘roles’ on this response, which is not ideal and I don’t quite understand why this isn’t attached to the response, as I feel it’s probably a very common use case to want to know each users roles.

Nonetheless, to work around this, for each user we call GET /api/v2/users/{id}/roles to get their roles and merge these two objects. This is incredibly inefficient as we have to make an individual request for each user. This was okay in the early stages of building our application, but now that our user base has grown, this will not scale (e.g. If I have 1000 users, 1000 individual requests will take an astronomical amount of time to complete and is clearly not good enough from a user experience point of view).

We have also thought about first fetching users on each role by calling GET /api/v2/roles/{id}/users, since the number of roles is far lower in our application, meaning the number of requests sent out would be far lower. The problem with this is that there is no way to specify a search engine query syntax to only get users for a particular organization. This would mean if we had multiple organizations, it will get all users for the specified roles across all organizations, which again, is not scalable.

Another idea was to attach the roles to the app_metadata/user_metadata inside a rule since this will come back in the response for each user. The problem with this, is it does not get updated until a user logs in again, as rules only trigger when a user logs in. Our application provides a way to update roles, but it will not be able to subsequently display their newly assigned role after an update because their user_metadata/app_metadata will not be updated until they re-login and trigger the rule.

Could someone explain to me why roles are not attached to each user object or if there is a way to make a batch call to get roles for a list of users rather than one at a time? I don’t see any way to make this performant enough with the currently provided API.

Regards, Sebastian

5 Likes

Hi Sebastian,

welcome to the Community.

Could someone explain to me why roles are not attached to each user object or if there is a way to make a batch call to get roles for a list of users rather than one at a time?

most likely because RBAC Core came in later into the core product. I absolutely understand the issues and concerns, and will pass it on to the product team.
I also see the ability to “Get a Role by Name” instead of just “Get a Role by ID” crucial for Rule logic, which is currently not available.

1 Like

I have this same issue, and came up with the same possible solutions. Like you say, none of the solutions are good enough and it is very frustrating there is no proper built in solution for such common functionality.

What did you end up doing in the end?

1 Like

Hi,

Is there any recommended approach for this issue?
I am facing the same task and can’t find a way fetch organization members with already attached roles without making individual requests for each member.

1 Like

Bump.

I’m having the same challenge. Even a bit more complex, because I am using Organizations. My scenario is building an admin UI around the users in an organization. I want to list all of the users in that org, with their roles.

So I have to make the API call to list the users for the org, which only gives back the id and email (and profile picture and name). Then have to load each user individually, then each role individually. So for 10 users, that is 21 API requests. A more consolidated API would be nice. Maybe even a GraphQL endpoint :slight_smile:

2 Likes

I’m in the same boat and I’m also using organizations.

I had the same issue, albeit wit slightly different context. I needed to bulk load users by email address, and show all the roles for those users. My workaround was to set up a rule that puts the roles in the users app_metadata, then search for all users using the /api/v2/users endpoint, then simply extract the roles from the users app_metadata.

I did it with a rule, but it’s actually even easier with the actions which auth0 is recommending using now, so here’s an action that would accomplish the same thing:

exports.onExecutePostLogin = async (event, api) => {
  const roles = event.authorization?.roles
  if(roles && roles.length > 0) {
    api.user.setAppMetadata("roles", roles)
  }
};
1 Like

Thanks for sharing it with the rest of community!

Hi,

We are also running into this issue. We have a slightly unique flow where the user can be part of multiple organizations and during login we let the user login initially without specifying the organization and then show them a list of organizations they are part of with respective roles in the organizations. To fetch the organizations initially we call retrieve users organization membership API Auth0 Management API v2. However, in order to get the roles of users within each organization we are having to make an API call for each org. And since this happens before user even logs in to an org we cannot update app_metadata with org and role info.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Hi team,

updating this topic will easy to implement solution. With the usage of

GET /api/v2/organizations/{id}/members

endpoint, you can fetch roles alongside members who belong to an organization.

  • Use the fields parameter to optionally define the specific member details retrieved. If fields is left blank, all fields (except roles) are returned.

  • Member roles are not sent by default. Use fields=roles to retrieve the roles assigned to each listed member. To use this parameter, you must include the read:organization_member_roles scope in the token.

https://auth0.com/docs/api/management/v2/organizations/get-members

Thanks
Dawid