I have a UI that lists data that is dependent on your role.
Let’s say there’s a related endpoint called GET /cars
If you are a “regular” user, you’ll see cars that are related to you (either you own them or you’re leasing them or something). If you are a “super user” then you’ll see all of the cars for all users.
Any “best practices” on how to achieve this level of granularity for an API service that has many api endpoints that need to make this sort of distinction?
I guess more generally - the set of data available to a user should be dependent on their role. But the operations on that set are the same (i.e. both regular users and super users can both list cars) irrespective of their role.
You can associate permissions to roles for your registered API using the Authorization Core. Here are details about RBAC in general from our docs: https://auth0.com/docs/authorization/rbac/
I should have mentioned that I’m well aware of roles and permissions in Auth0. And indeed, I am already taking advantage of roles and permissions to say that “regular users” can view cars, but so too does a super user.
I mentioned:
for an API service that has many api endpoints that need to make this sort of distinction?
My solution is to use ACLs in addition to roles and permissions.