Hi,
I’m working on a project the uses Auth0 for managing users via Social Login (Google). The project is an HR platform for managing business entities like candidates, employees, departments, team meetings and so on.
The Frontend React application lets users perform CRUD operations on the above-listed business entities, via a custom NodeJs API.
The Frontend app uses React Auth0 SDK to obtain an Access Token (the user login process has been implemented as shown here - Auth0 React SDK Quickstarts: Login ) that is passed in the Authorization Header whenever a request to the custom NodeJs API is made.
The routes of the custom API are protected (a checkJwt middleware has been implemented as shown here: Auth0 Node (Express) API SDK Quickstarts: Authorization),
RBAC has been also implemented (Enable RBAC and Add Permissions in the Access Token
are set to true in the Auth0 API settings). For each type of business entity, the following permissions exist:
read:<entity> - Can read all entitites
read:<entity>_own - Can read only owned entities
Some other permissions ...
Consider the following use case:
An HR member (with enough permissions, having the hr-member role) creates a new employee via the FE application. Because the HR member created that resource, he is the owner of the resource. However, the user to which that employee corresponds (having the employee role ) should also be able to view the data. This is not possible, because the employee has only the read:<entity>_own permission and his employee data was actually created by an HR member. I can’t assign the read:<entity> permission to an employee because he shouldn’t be able to view other employee data.
Is it possible to achieve this kind of functionality using Auth0? I think my use case is more close to using ACLs that RBAC and I couldn’t find any ACL-related resources in the Auth0 Docs.
Thanks!