Roles and permissions per application

Problem statement

How to assign different roles and permissions to the same user throughout separate applications within the tenant?


If you are trying to assign different roles to users based on which application they logged into. The current way to manage role-based access (RBAC docs) is with Authorization Core over Authorization Extension for the reasons explained here:

Yet, to group users under a set of permissions is not out-of-the-box for Core. However, you may use Actions or fine-grained roles for each API.
You can create all the roles for every application under the Dashboard > User Management > Roles tab, and change the role for each user every time they log in. See this example:

exports.onExecutePostLogin = async (event, api) => {
 api.accessToken.setCustomClaim(`${}/roles`, event.user.app_metadata.client_id.roles);
 api.idToken.setCustomClaim(`${}/roles`, event.user.app_metadata.client_id.roles);    

In the above Post Login Action example, we assume that each user has their role for each application explicitly in the app_metadata. So after each login, their role will change in the Access Token under a custom claim placed there.