There are a lot of different ways you can handle this depending on what kind of application you’re working with.
In my case I’m dealing with a multi-tenant setup and I’m using the Auth0 Authorization addon for web users, retrieving the users roles and permissions from that API once they’re logged in.
I also deal with some limited machine to machine auth that uses the same permissions list that I configure in an apis scopes. So similar to an individual user having a permission, a particular server might have certain permissions.
It’s probably also possible to create two distinct applications and differentiate their level of access using api scopes, but then you would need to use a different client id to log in an administrator vs a user.
The other option is to handle all that on your side of things rather than depending on Auth0. Auth0 authenticates the user, but doesn’t by default need to handle authorization for the user. All of that could be handled by your own system.