Management API middleware/rules

Is it possible to execute “Actions” or “Rules” on Management API requests (like middleware) the same way you can when requesting an access token?

I want to be able to filter requests to the Management api endpoints on features beyond just scope (make sure that the requesting user has the correct properties in their user profile for what they were requesting, for example when searching for users by role /api/v2/users?roles=manager want to ensure that the requesting user has the correct role to get users with the requested role).

Simple use case:
3 user roles: admin, manager, employee

Desired goal: admins can see all users, managers can see managers and employees, employees can only see employees

However, the only scopes the Management API accepts in regards to this endpoint is read:users and it is my understanding that once that scope is granted, a user can do everything to that endpoint.
Even if there were a way to block the endpoint with additional scopes (which I could not find a way of doing that), it would not completely fit the use case since it not only needs to protect that endpoint, certain types of requests (based on the query params) to that endpoint.

Can a “hook” or “middleware” could be run when the request comes into the Management API that can read the requesting user’s details (roles, app_metadata, etc) as well as the request (url, params, body, etc) and can reject or accept (process request: pull data from db, modify user based on request, etc) based on that information?

Hi @maxwell,

Thanks for joining the Community!

I don’t believe there is a way to set this up with the Management API directly, but one solution would be to create a proxy API.

You could create your own API that interacts with the Management API. You could protect each endpoint with the appropriate scope(s) and then request for users with specific roles within the endpoint (e.g. if a user’s access token has the permission “read:managers”, the endpoint would request https://YOUR_DOMAIN/api/v2/users?q=app_metadata.roles%3A%22manager%22

Here are some docs on registering APIs: Register APIs

And here are some for adding permissions to APIs: Add API Permissions

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.