We are building a multi-tenant cloud (SaaS) application and we’re already using Auth0 for authentication. Now we are trying to implement RBAC for the app, but either with Authorization Extension or Authz Core we couldn’t achieve a structure where, besides assigning roles to users/groups, we can aslso specify another dimension—project—for each user-role pair. That is to say we want to specify triples: user-project-role, or group-project-role.
The model of access control is very similar to the one adopted in Trello, Bitbucket or GitHub. Here is shat is special about these services (In this context Trello board = Git repo = project)
- Every user can invite other users to access their projects
- Roles are assigned to each invited user for EACH project
- Invited users can be put in groups and roles can be assigned to groups as well, and again, for EACH project.
So, my question is whether any ready-to-use solutions exist that supports the menioned model?
If no, would it be possible to implement it with custom Auth0 extension?