Hi, what’s the best practice for organizations + custom RBAC roles?
In Auth0, Roles seem to be a “global” concept. You query and list all roles. However, lots of platforms allow tenants/organizations to create their own custom roles. What’s the auth0 way to do this? One way I thought to do this is to have roles conform to a naming convention but seems like a slippery slope. Is there a better way to do this?
Looking for the same..
The only solution I can come up for now is store custom roles in the organization metadata ‘{ “role1”: [“permission1”,“permission2”] }’ - Then also store the assigned roles on the user metadata: ‘{ “org1_roles”: [ “role1” ] }’ - and finally use a custom action to flatten the permissions based on the user roles.
Surely this should just be supported out of the box though? Or otherwise there should be a less hacky approach? @Auth0
Hi There!
Thank you for posting your question, and thank you @rsoe for bringing this workaround to the table. I’ve checked internally and there’s no out-of-the-box solution to solve this issue, unfortunately. However would encourage you to open a new thread in the
Product Feedback
category explaining your use case. If the thread becomes popular among other community members, our product team will evaluate the idea.
Just to set expectations—while feature requests are reviewed periodically, there’s no guaranteed timeline for when (or if) something like this would be implemented in production, as it depends on factors like demand, security implications, and broader roadmap priorities.
Thanks!
Dawid