How to model the use case where roles are specific to a project and not at an application level

We have a use case where the application has projects and users are added to different roles in various projects. For example, Mike is a registered user. He is Project Manager in one project and a Director in another. I want to be able to authorise his actions in the his projects based on the role he holds in it.

How do I model this in Auth0?

Hello @santhosh.sadanandan,

Welcome to the Auth0 Community! Depending on your application architecture you may be able to leverage Auth0’s core authorization feature, but I suspect you may need to build a DIY solution by storing role data in app_metadata. Off the cuff:

"app_metadata": {
  "entitlements": {
    "project_1": {
      "role": "Project Manager"
    },
    "project_2": {
      "role": "Director"
    }
  }
}

Then use an Auth0 Rule to include entitlements data in the user’s ID and / or access tokens.

Or you could potentially use both … use core RBAC to organize scopes / entitlements and user metadata to store project access data. This might work if, for example, all Project Manager have the same entitlements, but restricted by project.

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.