Role-Based Access Control authorization feature launched for all customers
When it comes to access control, Auth0 provides the “Auth0 Authorization extension” for implementing authorization policies. This extension, though fully featured, poses some limitations with regard to the number of groups and users due to limited webtask storage. To circumvent this issue, Auth0 is starting the process of moving the extension features into core platform features. The first step in this process is the introduction of RBAC.
With RBAC, access control is managed at a level that corresponds closely to the roles a user plays at the application level. Simply put, you can assign permissions to APIs based on the functional roles and then appropriately assign users to a role or a set of roles. With RBAC, access decisions to APIs are based on the individual roles users have in your application.
Key features of RBAC:
- Create a systematic, repeatable assignment of permissions
- Easily audit user privileges and correct identified issues
- Quickly add and change roles, as well as implement them across APIs
- Integrate third-party users by giving them predefined roles
- Effectively comply with regulatory and statutory requirements
To learn more, you can find the documentation here: https://auth0.com/docs/authorization
Notes for Auth0 Authorization Extension users:
The Authorization extension will co-exist with the new RBAC and is completely independent. However, only one approach can be used for access control. To activate the RBAC settings in the core platform, you must stop using the Authorization Extension. Groups is not yet part of the new RBAC release so please keep this in mind before you decide to migrate.
What if I need groups?
If groups are needed, you can use the Auth0 Authorization extension. Note: You can only use one approach for access control: Either Authorization extension or RBAC. However, be aware of the restrictions with the number of groups that Auth0 can support with webtask storage.
For the new RBAC, groups are currently part of the roadmap. To stay tuned for our upcoming beta programs, please connect with us in the Auth0 community.
RBAC is a core platform feature and is available for all Auth0 customers and plans. To enable RBAC and begin using it, please follow the instructions here.