Question about API security and preventing user from accessing another user's data

michael33 · March 29, 2024, 6:14pm

Forgive me but I’m very new to auth0 concepts and trying to figure something out.

I can see how to use RBAC to secure access to static API endpoints based on a user’s role.

But the problem I’m trying to solve is to secure an API to prevent user 1 from accessing user 2’s data. For example, user 1 should not be able to get /resource/ even if they are logged in properly.

Since the UUID is a path parameter of our api, how can I authorize a given user to only access their data, at the API level? I’ve read about API permissions, and can certainly create a permission for this use case, but I’m not sure how the permission is mapped to the specific route involving a path parameter for the user.

Thanks!

dawid.matuszczyk · March 29, 2024, 7:07pm

Hi @michael33,

Welcome to the Auth0 Community!

Thank you for posting your question. I need to do more research regarding your topic, but have you tried checking out FGA? It seems like it can be beneficial for this kind of context with fine-grained authorization for roles at group-based access.

Let me know what you think about FGA.

Thanks
Dawid

michael33 · March 29, 2024, 8:02pm

Thanks for your answer. I did bump into FGA but was not sure whether I’d need to “go there” for my answer

system · April 12, 2024, 8:03pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.