Permissions, Privileges, and Scopes

robertino.calcaterra · December 1, 2021, 7:21pm

What is the difference between permissions, privileges, and scopes in the authorization context? Let’s find out together.
Read more…

Brought to you by @andrea.chiarelli

robertino.calcaterra · December 1, 2021, 7:24pm

Did you hear about these concepts? Did you try them? Share your comments, thoughts, experiences in the comments!

mdesappa · November 24, 2022, 8:37am

Thank you so much for explaining this. This has always confused me, but now i’m clear. Where would roles fit in these ?

konrad.sopala · November 24, 2022, 10:29am

Have you had a chance to check out our docs on that front?

andrea.chiarelli · November 24, 2022, 3:23pm

Hi @mdesappa,
Welcome to the Auth0 Community!

Roles are collections of permissions. Instead of assign N specific permissions to M users, you can simply assign them a role.
They are a convenient way to simplify permission assignments.

amanda_vz · April 26, 2023, 11:47am

Well written article. Thank you.

andrea.chiarelli · April 26, 2023, 12:37pm

Thank you! And welcome to the Auth0 Community!

darrenk · May 3, 2024, 4:40pm

Is it possible to have a scope that maps to multiple permissions, in the same way that Auth0 roles map to permissions?

Example use case:
Given the resources - orders, customers - there would be permissions - orders:read, orders:write, orders:create, customers:read, customers:delete, etc.

If I want to use scopes (roles):

orders_admin - All orders:* permissions
reader - All *:read permissions

Where should the mapping occur?
Ideally the roles scopes would result in an Access Token with the authorized user’s fine-grained permissions.

Can I do this in Auth0?

andrea.chiarelli · May 6, 2024, 8:41am

Let’s break the question down into different levels.

At the OAuth level, scopes are just strings. The meaning of those strings is assigned by the user and the resource server. In other words, it’s up to you how to map a scope to a permission in practice.

Conceptually, a scope is what an application wants to do, while a role represents what a user/application can do. The goal of a scope is to restrict what an application can do on behalf of a user. For this reason they are mapped to the permissions a user can have: to have the most granularity in granting a permission. If I correctly understand, what you want to do is the opposite of what scopes were intended to do.
As far as I know, OAuth does not allow mapping between scopes and sets of permissions.

Accordingly, Auth0 allows you to define permissions in an API definition and implicitly map them to the corresponding scopes. This is a one-to-one mapping.

This does not prevent you from defining scopes that the resource server (and the user) interprets as a set of permissions. For example, you can create a scope and an associated read:all permission that the resource server interprets as permission to read any resource. Again, the final meaning of a permission is up to the user and the resource server.

In summary, you can’t define an explicit mapping between a scope and a set of permissions. You can define a scope that maps to a permission that the resource server can interpret as a combination of permissions.

darrenk · May 6, 2024, 3:51pm

Thank you @andrea.chiarelli

Auth0 allows you to define permissions in an API definition and implicitly map them to the corresponding scopes. This is a one-to-one mapping.

This is the point I was missing. The entire response is clear and very helpful.

Thank you
-Darren