I’m fairly new to Auth0 . I’ve setup some users in a database using user/password authentication, and use this to manage users in a java application. I’d like to prevent some users from being able to edit their app_metadata; that, or prevent them from logging in to the auth0.com website at all.
I think I need to create a role, and then create permissions for that role (that prevents editing of app_metadata?)? And then i assume assign this role to users?
Is that correct?
Is editing of app_metadata an API permission or is it a management api permission?
When i create a new role, and select my API, no permissions actually show up in the dialog - what am I missing?
In reality, I’d like to simply create 2 groups of users, “users” and “admins” - those “users” are not able to change anything about their account (read only).
Hi there @nartz1 and welcome to the Auth0 Community!
From what I gather from your writing below you are looking to leverage multiple role types, which RBAC (Role Based Access Control) would be perfectly suited for passing out tiered privileges. I have shared the doc below that dives into that. Please give it a look and let me know if you have any questions. Thanks!
Thanks for this response. It does seem like RBAC is what i need, however, i’m confused about what rules and permissions to actually create, and also how to do that.
To simplify, I want to prevent users associated with a ‘role’, call it “basic-users-role”, from being able to log in to auth0.com.
Is this a permission or rule I have to create on the “management api”, or a different api?
What does the “rule” look like? Do i have to create a custom rule, that looks for the role associated with a user, and if the user is in that role, then somehow deny management api access i.e. return 404 or something?
Any more clarity or detail would be helpful here, thanks.