Auth0 Home Blog Docs

Provisioning automatically roles to users for authorization extension ?



I would like to first store a mapping of the roles of my users on a JSON file and using this to populate the right role to my users on every login, what would be the recommended way to achieve this?

It looks like on solution could be to use the Github deployment extension to store my rule and the mapping file. The rule would be similar to the “Set Roles To A User” except loading data from a file.

Would that be a recommend way to do this ? Is there something easier that I’m missing?

Update (follow-up to @jmangelo answer)

I see the confusion there. Thanks for pointing the possible overlap, for some odd reasons I was thinking assigning the roles to a user with a rule would end up updating the source of truth whereas it is just decoration of the user profile.

So my use case is effectively a mix of #1 and #2 (I need to dynamically be able to provision new users), I also want to minimize a little bit the number of system people need to manually enter information to provision a new user. So ideally my json file would be used as the source of truth… given roles and permission of people evolve, I want to be able to sync that easily to the authorization extension data rather than going through a UI. (we need to provision other access at the same time, so it is not practical to have people logging into 5 systems and add piecemeal information for every user)

I guess I could use the as a blueprint to synchronize the information from the json file to the auth extension and run it each time we have a change to keep the authz extension data in sync.


If you chose to use the authorization extension then that should be the source of truth for user role information. More specifically, if at every login you update the roles of a user based on external source (the file you mentioned) than this would be redundant and possibly confusing if at the same time the authorization extension is also used.

I would consider the following scenarios if you really want to make use of the authorization extension.


If all your users are already created in Auth0 and you have their role information in an external system then install the authorization extension, enable the authorization extension API and write a migration tool/script that migrates the role information from your external system to the extension in one go.

After the initial migration, new users can be assigned default roles and managing roles of existing users implies doing it through the extension (either through the UI or the API).


If you can’t do the migration in one go because some users will only get created in Auth0 when they actually perform a new login then install the extension, enable the extension API, migrate the information for every user that already exists and then implement a rule that when a user logins and role information was not yet migrated for this user then the rule performs a request to your external system, obtains the roles and uses the extension API to automatically initialize the user roles.

The above scenarios mention an external system where the existing information about user roles is located. Although this could be as simple as a JSON file, have in mind that for the second scenario rules won’t be able to load data directly from a file. You would need to proxy access to that information through an HTTP API that could be called by the rule.


If you want to treat the external system (JSON file) as the source of truth the recommendation would be to use the Authorization extension API to automatic sync the extension data upon change of the external system. The sample extension you mention does use the API to automate loading of certain data so it would be indeed a similar scenario; the key part is to use the API to ensure that the data in the extension is synced with the external system in an automated way that would not required manual intervention.