At usebubbles.com we’re looking into integrating Auth0.
So far we’ve identified that we’ll need to create roles (e.g. TeamAdmin, TeamMember, etc.) and permission (e.g. CreateComment, DeleteComment). What’s missing for us is how to perform authorization based on whether the user actually has access to the requested resource.
If user A owns resource X and has role TeamMember, they may be able to delete resource X given that the TeamMember role has the DeleteComment permission. But what if resource X is owned by user B, and not by user A? How do we ensure that user A cannot delete user B’s resources, and how does this relate to RBAC? How would one implement this with Auth0?
Similarly, what if we cannot simply assume that users can only access their own resources, but that for example a TeamAdmin may delete all resources within a given team, while TeamMembers may only delete their own resources? How would one implement this and where is this documented in the Auth0 documentation?