I would like to support a scenario where a user belongs to multiple groups and has different permissions in each one.
For example, Bob is in Department A and Department B. In Department A, Bob can create Vendors and in Department B, Bob can approve Invoices.
I was thinking of implementing this using the Authorization Extension and creating a group for each Department and placing Bob in both groups. But it seems that when getting permissions for Bob using the API I cannot specify which group permission I’m interested in. I can only get the total permissions for Bob and they are the union of all his permissions so the result is that Bob can both approve Invoices and create Vendors.
Is there an API in Auth0 that will do what I want, should I architect things different in Auth0 or is Auth0 not suitable for this and I should use business logic in my app to make these decisions?
I’m not sure if this fits your scenario, but here’s how we’re doing something similar. We have different apps a user can login to and for each app that user might have different roles.
Note: This is using core authorization, not sure how this would work with the authorization extension
Create an API for each realm of permissions (ie, Department A and Department B). Within those API’s you can set all the possible permissions for each API. Enable RBAC in the API and also enable “Add Permissions in the Access Token”.
Create roles corresponding to the different API’s. Add user to the roles you would like them to have.
When the user authenticates, they pass in a ‘audience’ that matches the API they’re authenticating against. Auth0 will match that API to the relevant permissions and only include those permissions in the access token under a key called "permissions":[]
Thanks for the response @michael.glenney. I work with @melmendorf and I would like to pursue this a little further. The whole Department thing was just picked as an abstraction and I will go with it.
Let’s say we have thousands of departments. I could create audiences by putting the department id at the end like this - “api.mycompany.com/department/1934”. As far as I can tell there are no limits to how many APIs I can have in my tenant but I do not see a way to create them through the management API. If I’m not able to create APIs/audiences programatically, it makes it impossible for me to use this solution.
They’re also supported in things like the gitlab extension (which we use) https://auth0.com/docs/extensions/gitlab-deploy which can be a nice way to get it done without having to write any code.