Role assignment with resource filters

sanjeevchopra · October 8, 2020, 8:44pm

Hello,

I have seen Kim Maida’s posts on RBAC and Authorization extension. Wanted to know if Auth0 is considering the use case of resource filtering.

Specifically, let’s say a group of users has role Device Operator, but only for devices with classification of xyz. In this case, I would like to store an opaque “filter string” with the assignment which is made available at the time of authorization (in a rule context or token).

Then the resource service can use this filter to further restrict which devices, a user in that group will be allowed to access.

Thanks

konrad.sopala · October 9, 2020, 10:30am

Hey there,

As far as I know it’s not doable as of now using our stack unfortunately. I would highly suggest filing in a feature request to our product managers using our product form:

sanjeevchopra · October 9, 2020, 5:06pm

Thanks @konrad.sopala. I will do that.

konrad.sopala · October 12, 2020, 9:35am

Thanks! The more people advocating for certain feature and filing in feature requests we have the more likely that feature will get implemented

sanjeevchopra · August 27, 2021, 5:07pm

If you’d like to vote, feature request for this is at: Role assignments with a resource filter

konrad.sopala · August 30, 2021, 12:20pm

Thanks for sharing the link with the rest of community!

cyrilchapon · July 29, 2022, 11:58am

While the resource-filter might not be the only approach to this; the use-case in itself seems so obvious that it’s actually shocking it’s not achievable in the current state of art of Auth0. (and it’s been a while now).

Some use-cases :

Facebook-like groups / pages management. A user is owner of a group, some others are admin — with specific permissions, moderators. Some users are simple consumers.
Google Drive-like file management. A user (or a domain) is owner of a file, some others are editors, some others are readers
Auth0 backoffice itself : a user can be superadmin of a tenant, and simple admin of another

In any of those use-cases, the topic remains the same : a role is tightly coupled with a “resource instance” and not only a “resource type”. That’s what is called a “relation” on that post and others about the same topic.

NB : Please note that there is a common confusion and misuse of langage out there with the term “resource”. Browsing the web about that topic, using “resource” is sometimes related to the “resource type” (Dogs), sometimes to the “resource instance” (Dog with id: 1234). We’re talking here about “resource instance”