I’m implementing Role-Based Access Control (RBAC) using Auth0’s Management API and have encountered some limitations. I’d appreciate some clarification on the following issues:
- Lack of granular control: There are no specific endpoints for creating, deleting, or getting individual permissions for an API (user resource). We can only add or modify permissions using the PATCH method on the /api/v2/resource-servers/{API_ID} endpoint, which requires sending the entire ‘scopes’ array. This approach seems inefficient and potentially risky, especially when dealing with a large number of permissions.
- Payload size limitations: I’m concerned about potential restrictions on the size of the payload or the number of scopes we can add in a single PATCH request. Since we can’t add permissions individually, this could become a significant issue as our permission set grows.
- Scalability concerns: Our current system has around 800 permissions. While this may not be an issue now, I’m worried about future scalability, especially given the limitations mentioned above.
Questions:
- Are there any plans to introduce more granular control over permissions, such as dedicated endpoints for creating, deleting, or retrieving individual permissions?
- What are the specific limitations on payload size or the number of scopes we can add in a single PATCH request?
- How do other Auth0 users manage large numbers of permissions efficiently and safely?
- Are there any best practices or workarounds for managing permissions at scale while minimizing the risk of accidental deletions?
Any insights, documentation, or suggestions would be greatly appreciated. Thank you in advance for your help!
Ref: Add API Permissions