Auth0 Home Blog Docs

Group my users?

users
user-group

#1

Hi,

In our existing system we have users grouped by client/company. I’m aware that Auth0 has a user group concept, but I gather it’s a different kind of thing, more like a rights/roles assignment entity, e.g. “regular users”, “admins” etc.

In our case, there will be almost as many companies as users (most companies have a single user, some have a few and very few have many users).

Our intention is to move our user database to Auth0 and we will start this process by a connection to our old database and activating auto migration. Got the login script working already.

But how would we best handle the “comany” concept within Auth0?

The connection is able to return a unique id for the company, along with any other attributes that may be useful, e.g. invoice address etc.


#2

You can store the company ID in app_metadata. Using a rule, you can return it in the login token. If you need to find all users from a certain company, you can use the User Search API to search for that particular field in app_metadata.

(One small detail: the User Search API can return a maximum of 1000 users, so keep that in mind whilst performing a search)


#3

Thanks, that’s good! A couple of follow-up questions though.

Can the app_metadata be filled from my legacy database using a custom database connection marked to auto migrate users? If so, how should it be returned in the object passed to the login script’s callback function?

I assume there’s no way to attach attributes to the “group”? I mean, I could obviously have multiple app_metadata attributes that would contain info about the company, but this would duplicate the information among the company’s users, right?

So, to be able to stora data at the company level, I would essentially need a custom database and a connection to it?


#4

Yes, you can fill app_metadata using your legacy database, but keep in mind this part when writing your script:

If setting app_metadata , call it metadata in the script. To support backwards compatibility, app_metadata is called metadata in custom DB scripts.

Exactly. The Auth0 datastore isn’t designed to hold that group type data. If you need it in your login ticket, you could use a rule to fetch the data during login. The Auth0 Authorization Extension works the same way.


#5

Thanks. Understood. Is it correct that the returned metadata item should be an object with any properties I desire? E.g. script snippet:

callback(null, {
  user_id: 'MyConn|123456',
  email: 'kjell@company.com',
  email_verified: true,
  metadata: {
    company_id: 654321,
    priority_level: 'Gold'
  }
});

#6

Yes, you can put pretty much anything in app_metadata (and user_metadata). There’s a list on best practices and restrictions for metadata.