How to define ans assign different sets of permissions depending on the company of the user?

I have an application where I want a user working as administrator for 2 companies to login and have the possibility to switch his context in the application :

  • when he is in the context of the company 1, he could add , modify , update the products
  • when he switch to the context of the company 2 (always with the same account and without relogging), he could only consult the products and add new ones.

My application is a spa application using a backend product api. I am trying to retireve an access token containing all the permissions by companies… But I do not know how to do it, neither if this is the best way to solve my problem.
What solution Auth0 could provide for this type of problem ?

Hi @dypsok,

Welcome to the Community!

You can use role based access control to assign roles and permissions to your user. You can pass the role in the JWT if you need it there, or just pass the permissions for different APIs that are associated with the roles.

For a scenario like you have described, you will want to make your roles descriptive of each application. For example, you could have one role be Accounting - Admin and another role be Marketing - Editor. This user will have admin priveledges for the accounting API and editor priveledges for the Marketing API.

Does this make sense?

Hi,
thank you, I understand !
The problem is that there is only one application and one user that should have the ability to dynamically change his context without relogging himself… Only when he switch in the company2 context he could not change any data only consult them… May be an image will be more clear :

@dypsok,

You could do the same thing with roles. Your user could have two roles: Company 1 - Reader and Company 2 - Admin, or something like that. You can add these roles to the token then use that to determine what the user is allowed to do.

1 Like

I will try that, thank you.

let us know if you run into any issues.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.