Is it possible to execute “Actions” or “Rules” on Management API requests (like middleware) the same way you can when requesting an access token?
I want to be able to filter requests to the Management api endpoints on features beyond just scope (make sure that the requesting user has the correct properties in their user profile for what they were requesting, for example when searching for users by role /api/v2/users?roles=manager want to ensure that the requesting user has the correct role to get users with the requested role).
Simple use case:
3 user roles: admin, manager, employee
Desired goal: admins can see all users, managers can see managers and employees, employees can only see employees
However, the only scopes the Management API accepts in regards to this endpoint is read:users and it is my understanding that once that scope is granted, a user can do everything to that endpoint.
Even if there were a way to block the endpoint with additional scopes (which I could not find a way of doing that), it would not completely fit the use case since it not only needs to protect that endpoint, certain types of requests (based on the query params) to that endpoint.
Can a “hook” or “middleware” could be run when the request comes into the Management API that can read the requesting user’s details (roles, app_metadata, etc) as well as the request (url, params, body, etc) and can reject or accept (process request: pull data from db, modify user based on request, etc) based on that information?