Granular RBAC & Super User Resource Access

I have a UI that lists data that is dependent on your role.

Let’s say there’s a related endpoint called GET /cars

If you are a “regular” user, you’ll see cars that are related to you (either you own them or you’re leasing them or something). If you are a “super user” then you’ll see all of the cars for all users.

Any “best practices” on how to achieve this level of granularity for an API service that has many api endpoints that need to make this sort of distinction?

I guess more generally - the set of data available to a user should be dependent on their role. But the operations on that set are the same (i.e. both regular users and super users can both list cars) irrespective of their role.

Hi @gio,

Welcome to the Community!

You can associate permissions to roles for your registered API using the Authorization Core. Here are details about RBAC in general from our docs: Role-Based Access Control

Here is a guide to walk you through registering an API, creating permissions for your API, creating roles, and associating permissions with those roles: Authorization Core Features

This is not the solution.

I should have mentioned that I’m well aware of roles and permissions in Auth0. And indeed, I am already taking advantage of roles and permissions to say that “regular users” can view cars, but so too does a super user.

I mentioned:

for an API service that has many api endpoints that need to make this sort of distinction?

My solution is to use ACLs in addition to roles and permissions.

More info here:

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.