How to Assign a Role to a Role

In my app, we have a number of different roles set up for different customers. For example, for customer ABC we have roles named ‘ABC Admin’ and ‘ABC ReadOnly’ and for customer DEF we have roles named ‘DEF Admin’ and ‘DEF ReadOnly’. This is working really well for us.

We’re now looking to add different tiers to this application. If a customer is a tier 1 customer then they have access to only a limited scope of functionality. Tier 2 customers can do a little bit more - tier 3 customers can do nearly everything.

So what I want to be able to do now is to assign roles named after these different tiers to the roles named after the customers. So I would want to assign a role (e.g. Tier 2) to another role (e.g. ABC Admin). This is way easier than assigning a second role (Tier 2) to all of the users who are in role ABC Admin. It would also be far easier than adding the list of permissions assigned to the role ‘Tier 2’ to the role ‘ABC Admin’. Is there any way I can do this?

I don’t see any way to do so in the auth0 portal. Is this something that could be done in a rule? i.e. the rule code may say if the user has role ABC Admin then add all of the permissions assigned to the role Tier 2.

Hi @greg.duggleby ,

Welcome to the Community!

Why not assign the permissions to the parent role? You should only have to do this once if I understand everything correctly. You could do it with an API call if you want to make it copy-paste easy.

Otherwise…

You could use a rule to assign the Tier 2 role to any user who has the ABC Admin role, but you won’t see the permissions until the next authentication cycle (the permissions are assigned before the rule runs). You could refresh the token with a silent auth request to refresh the token with all permissions.

It’s not a perfect solution but it can work.

Here is a rule I used to test it:

function (user, context, callback) {
  const assignedRoles = (context.authorization || {}).roles;
  
  if (assignedRoles.includes('ABC Admin') && !assignedRoles.includes('Tier 2')) {
    const ManagementClient = require('auth0@2.31.0').ManagementClient;
    const management = new ManagementClient({
      token: auth0.accessToken,
      domain: auth0.domain
    });
    
	const params =  { id : user.user_id};
  	const data = { "roles" : ["{Tier_2_ROLE_ID}"]};

  	management.users.assignRoles(params, data, function (err, user) {
   	 if ( err ) {
    	  // Handle error.
    	  console.log(err);
  	  }    
  	});
  }

  callback(null, user, context);
}