Permissions assigned through RBAC do not match currently assigned roles

I have a Rule that assigns a default role to a user on their initial login. For some users, additional roles were granted after the initial login. The application/api is configured so permissions for assigned roles are automatically added to the access token. It looks like only permissions for the initial role are in the access token. If I look in the Rule the context.authorization.roles array contains only the initial role. If I look in an Action, the event.authrization.roles array contains only the initial role.

The initial role configuration seems to stick even if I delete all roles.

How do I get the access token generator to recognize the set of roles currently granted to the user?


Welcome to the Auth0 Community!

It looks like you’re encountering an error outlined here. Essentially, when you use the Management API from an Action to modify the current user, it updates the user’s profile but not the event object. This means any changes to the profile won’t be visible until the user logs in again.

One workaround for this scenario is to get the permissions at the same time you assign the user to the role. To do this, use the managementClient.users.getPermissions() method.

(Reference UsersManager | auth0)

Please let me know if you have any questions.


This could be part of the problem. What I’m seeing is the initial role is setup. I don’t know what that token looked like. After that, I can change roles and issue new tokens but the context.authorization.roles field does not change and the permissions in the access token do not change.

1 Like


Thanks for the reply.

I would assume that when you assign the initial role on the user’s first login, the initial token issued would not contain details about the user’s role or permissions until their subsequent login.

If you make any changes to the roles, you will need to issue a new token.

As mentioned previously, a workaround is to set the Roles and Permissions directly to the access token at the same time as a custom claim just to get around this issue.

Let me know if you need help with implementation.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.