Question about API security and preventing user from accessing another user's data

Forgive me but I’m very new to auth0 concepts and trying to figure something out.

I can see how to use RBAC to secure access to static API endpoints based on a user’s role.

But the problem I’m trying to solve is to secure an API to prevent user 1 from accessing user 2’s data. For example, user 1 should not be able to get /resource/ even if they are logged in properly.

Since the UUID is a path parameter of our api, how can I authorize a given user to only access their data, at the API level? I’ve read about API permissions, and can certainly create a permission for this use case, but I’m not sure how the permission is mapped to the specific route involving a path parameter for the user.

Thanks!

Hi @michael33,

Welcome to the Auth0 Community!

Thank you for posting your question. I need to do more research regarding your topic, but have you tried checking out FGA? It seems like it can be beneficial for this kind of context with fine-grained authorization for roles at group-based access.

Let me know what you think about FGA.

Thanks
Dawid

Thanks for your answer. I did bump into FGA but was not sure whether I’d need to “go there” for my answer

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.