Organization-wide permissions

Hey team

I’m curious how to exploit an RBAC feature for a “permissions inheritance” case, i.e. set the maximal permissions on a user group level, and override it on a user basis on-demand. For example, there are three groups of users (three customers in B2B model), where:

  1. all users from the first group have Permission.A, Permission.B and Permission.C
  2. all users from the second group have Permission.A and Permission.D
  3. users from the third group by default have only Permission.D Some users from this group have extra Permission.E but do not have Permission.A

An organization’s feature could be an option here, but group permissions management are not supported out of the box and inheritance should be implemented separately. It could be Actions using Organization metadata or 3-rd party service. It does not look like an elegant solution. Your recommendations here?

Cheers!

Hi @ysb.kanivtsi,

It sounds like you could achieve this by creating several roles. In cases where some users in a group have extra permissions, they can be assigned multiple roles (e.g. a base role with Permission.D and another role with Permission.E). Actions could automatically assign these roles based on Organization metadata as you’ve proposed. Let me know if you have additional questions!

https://auth0.com/docs/authorization/rbac/

Good idea. RBAC is quite powerful. At the same time amount of assigned roles to the user is very small, perhaps permissions will be more suitable. In both cases, Organization metadata should contain a list of roles\permissions enabled by default. Is there any way to store references to the role in Org metadata and prevent broken linkage in dynamic Metadata once the role renamed or updated?

Yes, you can add organization metadata in the Auth0 dashboard or by using the Management API:

curl --request POST \
  --url https://your_auth0_domain/api/v2/organizations \
  --header 'authorization: Bearer MGMT_API_ACCESS_TOKEN' \
  --header 'cache-control: no-cache' \
  --header 'content-type: application/json' \
  --data '{ "name": "ORG_NAME", "display_name": "ORG_DISPLAY_NAME", "branding": [ { "logo_url": "ORG_LOGO", "colors": [ { "primary": "ORG_PRIMARY_COLOR", "page_background": "ORG_PAGE_BACKGROUND" } ] } ], "metadata": [ { "KEY": "VALUE", "KEY": "VALUE", "KEY": "VALUE" } ] }'

This data can be accessed in an action with event.organization.metadata.

Here is more information about RBAC in organizations:

Sounds interesting. There are hundreds of permissions that control access to the features. Enabling each role per user does not sound comfortable here. We’d like to set a dozen roles enabled by default for all organization members (even new), and still, be able to add overrides per user. Ten roles per organization won’t be sufficient for this case. Is it possible to find some workaround?

Would it be possible to group permissions together into roles for your use case? That would likely be the simplest way to implement this. If you would still have too many roles even with grouping, you may need to assign permissions to users instead. Or you could use a combination and assign a role that has several base permissions, and then assign permissions individually when needed.

Just received additional information about organization roles. Within the context of organizations, you can only assign roles, not individual permissions. This means the permissions would need to be grouped by role for this use case.

Hi @ysb.kanivtsi,

Could you please send me your tenant’s name in a private message so that I can take a look at your configurations via our internal tools?

Thank you!