I’m working on a project the uses Auth0 for managing users via Social Login (Google). The project is an HR platform for managing business entities like candidates, employees, departments, team meetings and so on.
The Frontend React application lets users perform CRUD operations on the above-listed business entities, via a custom NodeJs API.
The Frontend app uses React Auth0 SDK to obtain an Access Token (the user login process has been implemented as shown here - Auth0 React SDK Quickstarts: Login ) that is passed in the Authorization Header whenever a request to the custom NodeJs API is made.
The routes of the custom API are protected (a
checkJwt middleware has been implemented as shown here: Auth0 Node (Express) API SDK Quickstarts: Authorization),
RBAC has been also implemented (
Enable RBAC and
Add Permissions in the Access Token
are set to true in the Auth0 API settings). For each type of business entity, the following permissions exist:
read:<entity> - Can read all entitites read:<entity>_own - Can read only owned entities Some other permissions ...
Consider the following use case:
An HR member (with enough permissions, having the
hr-member role) creates a new employee via the FE application. Because the HR member created that resource, he is the owner of the resource. However, the user to which that employee corresponds (having the
employee role ) should also be able to view the data. This is not possible, because the employee has only the
read:<entity>_own permission and his employee data was actually created by an HR member. I can’t assign the
read:<entity> permission to an employee because he shouldn’t be able to view other employee data.
Is it possible to achieve this kind of functionality using Auth0? I think my use case is more close to using ACLs that RBAC and I couldn’t find any ACL-related resources in the Auth0 Docs.