I’m sure this is a common question but can’t find an answer on the net. I have a webapp that uses a concept of “Organization” (or Team, or Group, or one of many terms used across the web) and I’m thinking of using the Auth0 Authorization extension to configure groups, roles and permissions. To clarify the concept is the same as a “Group” on the GitLab.com platform. Basically a user can be a member of many Organizations but each user has different permissions in each of the Orgs they are a member of.
Given the following organizations:
- Big Blue
- Big Red
- Big Green
User1 is the Owner of “Big Blue” and has full control. Is a Member of Big Red and can do everything except change user security permissions. And finally is a Viewer in Big Green, with read only access.
Back to the Authorization extension:
I can create roles the “Org:Owner”, “Org:Member”, etc. but then how do I restrict that role to only a given organization? Am I thinking of this in the right way? How have others configured their (token) claims to support this type of setup?