I would like to support a scenario where a user belongs to multiple groups and has different permissions in each one.
For example, Bob is in Department A and Department B. In Department A, Bob can create Vendors and in Department B, Bob can approve Invoices.
I was thinking of implementing this using the Authorization Extension and creating a group for each Department and placing Bob in both groups. But it seems that when getting permissions for Bob using the API I cannot specify which group permission Iām interested in. I can only get the total permissions for Bob and they are the union of all his permissions so the result is that Bob can both approve Invoices and create Vendors.
Is there an API in Auth0 that will do what I want, should I architect things different in Auth0 or is Auth0 not suitable for this and I should use business logic in my app to make these decisions?
Iām not sure if this fits your scenario, but hereās how weāre doing something similar. We have different apps a user can login to and for each app that user might have different roles.
Note: This is using core authorization, not sure how this would work with the authorization extension
Create an API for each realm of permissions (ie, Department A and Department B). Within those APIās you can set all the possible permissions for each API. Enable RBAC in the API and also enable āAdd Permissions in the Access Tokenā.
Create roles corresponding to the different APIās. Add user to the roles you would like them to have.
When the user authenticates, they pass in a āaudienceā that matches the API theyāre authenticating against. Auth0 will match that API to the relevant permissions and only include those permissions in the access token under a key called "permissions":[]
Thanks @michael.glenney for sharing that knowledge!
Thanks for the response @michael.glenney. I work with @melmendorf and I would like to pursue this a little further. The whole Department thing was just picked as an abstraction and I will go with it.
Letās say we have thousands of departments. I could create audiences by putting the department id at the end like this - āapi.mycompany.com/department/1934ā. As far as I can tell there are no limits to how many APIs I can have in my tenant but I do not see a way to create them through the management API. If Iām not able to create APIs/audiences programatically, it makes it impossible for me to use this solution.
I think they are called āresource serversā in the API Auth0 Management API v2
Theyāre also supported in things like the gitlab extension (which we use) https://auth0.com/docs/extensions/gitlab-deploy which can be a nice way to get it done without having to write any code.
Hope this helps.
MG
Thanks a lot for that knowledge sharing Michael!