The Permission claim in the Access Token is empty when logging in to an application as an Organization team member.
- The Permissions array is empty in the Access Token even after enabling RBAC settings and the Add Permissions in the Access Token toggle.
- The user was being assigned to those Permissions globally on their user profile (non-organization), instead of having them assigned as an Organization member. The difference is subtle, but it determines whether the Permissions claim is added to the access token.
If we assign the user with the
update:reportspermissions to the user profile through the Auth0 Dashboard > User Management > Users > Roles, then when authenticating through an organization, the access token will not have these permissions. It will have these permissions if the authenticating regularly without the
If we assign the users with the
update:reportspermissions on the Members section of the Auth0 Dashboard > Organizations > Members > Assign Roles, then when authenticating through an organization, the access token will have these permissions. It will not have these permissions if authenticating regularly without the
The recommended solution is to assign the Roles to the user as an Organization member.
Please follow the steps outlined in our Add Roles to Organization Members documentation.