Permissions, Privileges, and Scopes

What is the difference between permissions, privileges, and scopes in the authorization context? Let’s find out together.
Read more…

Brought to you by @andrea.chiarelli

Permissions, Privileges, and Scopes1176×1056 315 KB

Did you hear about these concepts? Did you try them? Share your comments, thoughts, experiences in the comments!

Thank you so much for explaining this. This has always confused me, but now i’m clear. Where would roles fit in these ?

Have you had a chance to check out our docs on that front?

Hi @mdesappa,
Welcome to the Auth0 Community!

Roles are collections of permissions. Instead of assign N specific permissions to M users, you can simply assign them a role.
They are a convenient way to simplify permission assignments.

Well written article. Thank you.

Thank you! And welcome to the Auth0 Community!

Is it possible to have a scope that maps to multiple permissions, in the same way that Auth0 roles map to permissions?

Example use case:
Given the resources - orders, customers - there would be permissions - orders:read, orders:write, orders:create, customers:read, customers:delete, etc.

If I want to use scopes (roles):

• orders_admin - All orders:* permissions
• reader - All *:read permissions

Where should the mapping occur?
Ideally the roles scopes would result in an Access Token with the authorized user’s fine-grained permissions.

Can I do this in Auth0?

Let’s break the question down into different levels.

At the OAuth level, scopes are just strings. The meaning of those strings is assigned by the user and the resource server. In other words, it’s up to you how to map a scope to a permission in practice.

Conceptually, a scope is what an application wants to do, while a role represents what a user/application can do. The goal of a scope is to restrict what an application can do on behalf of a user. For this reason they are mapped to the permissions a user can have: to have the most granularity in granting a permission. If I correctly understand, what you want to do is the opposite of what scopes were intended to do.
As far as I know, OAuth does not allow mapping between scopes and sets of permissions.

Accordingly, Auth0 allows you to define permissions in an API definition and implicitly map them to the corresponding scopes. This is a one-to-one mapping.

This does not prevent you from defining scopes that the resource server (and the user) interprets as a set of permissions. For example, you can create a scope and an associated read:all permission that the resource server interprets as permission to read any resource. Again, the final meaning of a permission is up to the user and the resource server.

In summary, you can’t define an explicit mapping between a scope and a set of permissions. You can define a scope that maps to a permission that the resource server can interpret as a combination of permissions.

Thank you @andrea.chiarelli

Auth0 allows you to define permissions in an API definition and implicitly map them to the corresponding scopes. This is a one-to-one mapping.

This is the point I was missing. The entire response is clear and very helpful.

Thank you
-Darren