I’m fairly new to Auth0 . I’ve setup some users in a database using user/password authentication, and use this to manage users in a java application. I’d like to prevent some users from being able to edit their app_metadata; that, or prevent them from logging in to the auth0.com website at all.
I think I need to create a role, and then create permissions for that role (that prevents editing of app_metadata?)? And then i assume assign this role to users?
- Is that correct?
- Is editing of app_metadata an API permission or is it a management api permission?
- When i create a new role, and select my API, no permissions actually show up in the dialog - what am I missing?
In reality, I’d like to simply create 2 groups of users, “users” and “admins” - those “users” are not able to change anything about their account (read only).
Would appreciate any help. Thanks.
Hi there @nartz1 and welcome to the Auth0 Community!
From what I gather from your writing below you are looking to leverage multiple role types, which RBAC (Role Based Access Control) would be perfectly suited for passing out tiered privileges. I have shared the doc below that dives into that. Please give it a look and let me know if you have any questions. Thanks!
Thanks for this response. It does seem like RBAC is what i need, however, i’m confused about what rules and permissions to actually create, and also how to do that.
To simplify, I want to prevent users associated with a ‘role’, call it “basic-users-role”, from being able to log in to auth0.com.
- Is this a permission or rule I have to create on the “management api”, or a different api?
- What does the “rule” look like? Do i have to create a custom rule, that looks for the role associated with a user, and if the user is in that role, then somehow deny management api access i.e. return 404 or something?
Any more clarity or detail would be helpful here, thanks.
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.