Thank you for your patience.
After looking into this further, there are some things I would like to address.
First, the permissions assigned to a user are not dependent on an Organization, but rather on the API; Meaning that they are separate from one another.
Moreover, the thread you shared is the correct way to get the user’s permissions appended to the ID token. The proposed Rule will append the user’s permissions to the ID token for every user, regardless of their Organization status. With that said, I can confirm that this approach is correct.
Next, when enabling the Add Permissions in the Access Token toggle in your API RBAC settings, it will append a permissions claim in the Access token of the permissions assigned to the user. Recall that the user can be assigned from a list of permissions created for the API.
In this case, the access token would look something like the following:
{
//Redacted claims for brevity
"permissions": [
"read:reports",
"update:reports"
]
}
Circling back, I recommend using the Rule to append the user’s permission to your ID token.
I hope this addresses your concerns.
Please do not hesitate to reach out if you have any further questions.
Thank you.