Hey community. From our single-page application, we want to know the current user’s permission so we can control access to certain sections or buttons of our app.
We’re using organizations. As you’re probably aware, permissions are assigned to roles. Users, in my understanding, can be assigned to roles within the context of organizations and can also be assigned to roles directly (outside the context of organizations). Because of this, we essentially need the union of permissions from (1) all the roles the user is assigned to within the organization the user is currently logged into as well as (2) the permissions from all roles that the user is assigned to directly (outside the context of organizations). This concept of unioning permissions from roles is basically what’s described in the RBAC doc.
I see no good way to do this. A solution I can come up with is to take the following steps within an post-login action:
- Call management.organizations.getMemberRoles to get all the groups the user is assigned to within the organization the user is logged into.
- Call management.getPermissionsInRole for each of the roles retrieved in the last step.
- Call management.getUserPermissions to get all the permissions related to the roles the user is assigned to outside the context of organizations. I assume that’s what this method is doing anyway. The docs are sparse.
- Merge all the permissions retrieved in the last two steps and add the result to a custom claim on the ID token.
This is obviously very expensive and not feasible.
Another potential solution in our case would be to just copy over the scopes or permissions (if we use the Add Permissions in the Access Token feature) from the access token to the ID token, but I don’t see any way to reference the access token scopes or permissions through actions or rules.
How are we supposed to accomplish this? If we’re not supposed to accomplish this for some security reason, can we get an explanation? This seems like it would be a very common use case.
FWIW, I’ve read the following related posts and I don’t see an answer that actually solves this issue.
The following question received no answers and doesn’t take organizations into consideration.
The following question’s “solution” references a thread that doesn’t take organizations into consideration. Am I misunderstanding?
The following question wanted permissions from not only the org the user is logged into but other orgs as well. In our case, we don’t need (or want) permissions from other orgs, but the comments seem to suggest there’s no good way of solving even our simpler requirements.
The following question has an answer that provides guidance on how to add a user’s permissions to the ID token, but, as far as I’m aware, doesn’t take organizations into consideration.
Thanks in advance!