Including permissions in bulk import

Is there a way to assign permissions during bulk upload? I don’t see permissions listed in the bulk upload schema. One approach would be to stash the permissions in meta data then use a hook to apply the permissions using the meta data as the source, but this sounds too hackish to me.

Hi @john.boldt,

It doesn’t look like you will be able to import permissions with the import job endpoint or extensions. The best way I can suggest is to either import them as app_metadata as you have suggested (and convert them in a rule), or to add them after the import programmatically using the management API.

Hope this helps!
Dan

Thanks @dan.woda! Placing the permissions in app_metadata works fine. I was hoping I could then set the JWT’s permissions claim in the rule after the user is authenticated, but apparently you’re not allowed to overwrite the permissions claim. Am I correct?

Instead of writing them to permissions or a custom claim every time the rule is run, have the rule import them via the management API when the user has permissions in app metadata, then delete them from app_metadata when finished. Be careful using the management api in rules, as you can quickly hit the rate limit if you are calling it every authentication. I wrote you a rule that goes through the general flow. Be sure to test this before putting into production . Something like this:

function (user, context, callback) {
    user.app_metadata = user.app_metadata || {};
  
    if(!user.app_metadata.importedPermissions) {
      	console.log("no permissions in app_metadata");
        return callback(null, user, context);
    }
		
    var ManagementClient = require('auth0@2.23.0').ManagementClient;
    var management = new ManagementClient({
      token: auth0.accessToken,
      domain: auth0.domain
    });

    var params =  { id : user.user_id };
    var data = { "permissions": user.app_metadata.importedPermissions};

    management.assignPermissionsToUser(params, data, function (err) {
        if (err) {
            console.log(err);
        } 
      	else {
          	console.log("added permissions to user");
            delete user.app_metadata.importedPermissions;
    				auth0.users.updateAppMetadata(user.user_id, user.app_metadata, function() {
            if(err) {
            	console.log(err);
            } 
            else {
            	console.log("removed permissions from app_metadata");
            }}); 
        }
    });

    callback(null, user, context);
}

This is expecting app_metadata to have this schema:

  "importedPermissions": [
    {
      "permission_name": "do:something",
      "resource_server_identifier": "https://test-api"
    }
  ]
2 Likes

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.