We have a permissions/roles use case we’d like to implement, but are not clear how to design using Auth0. Let me outline the use case:
- We have a front end application that connects to a back end via APIs.
- We have multiple features in the application; those features each require their own set of permission. For example: Read/Write Inventory, Read/Write Orders.
- We have multiple customers, each with their own set of data. Its not quite multi-tenant, but in general, the tenants data are separate from each other.
- We have user logins, and each user can be assigned a role/group. Permissions can roll up to various roles and roles can roll up into groups.
- When a user logs in, login is delegated to Auth0, which assigns a JWT token. The token may contain the roles, and the back end can determine permissions via Auth0 from the roles. The permissions can then drive what APIs are permitted for the user login.
- This is all pretty standard RBAC and OAuth.
- Here is where things gets interesting. A user may have permissions over only some of the customer data. For example, User 1 might have some access to Customer A only. While User 2 might have access to Customer A, And Customer B.
- Even more complicated, User 3 may have Read permissions for inventory to Customer A and write permissions to orders for Customer B.
- That is, there may be all sorts of permutations for permission access to different Customers.
How could we design this in Auth0? We do not want to create permissions for every single permutation of Customer and possible permission. That does not seem scalable nor practical. We had a couple of thoughts:
- Store Customer Ids that the user has access to in the user meta-data. This is somewhat helpful, however, this would not provide flexibility to provide different fine grained permissions for difference Customers.
- Rules seem promising for this. Our thought is to maybe store additional data about the different customer access in an outside DB which is read by the rule and final permissions determined by the rule.
Any thoughts about this?