I am currently building a single-tenant on premise application for a number of customers.
The idea is currently to give each tenant their own auth0 client and database, where I have ownership of the auth0 account.
It is a requirement that users should not be able to sign up, but a user admins within a tenant application will have their own user management module, where they can CRUD users.
First idea was to use the “Auth0 Management API v2” to allow for user management, but on further inspection it seems like the management module only works across all connections.
Even if I put logic into the tenant server, so that a user will not be able to CRUD users outside his/her own tenant it seems very insecure that the on premise server has the client credentials to read all users across all tenants?
Given that you would be deploying the full application within the premises of each customer I would agree with your observation that the need to include the client credentials configuration would be an issue and a great risk so you should consider other options.
Having the user management in infra-structure that is outside the control of the individual tenants would solve the client credentials issue so implementing a central user management application that is not deployed on-premises would always be a valid solution, although with some effort involved.
Another options, is to evaluate the use of the Auth0 Delegated Admin extension and this seems tailored to the scenario at hand and is flexible enough to be configured (see the configure hooks section) in such way that certain users can only manage users belonging to an associated connection.
The Delegated Administration extension allows you to expose the Users Dashboard to a group of users, without having to provide access to them to the dashboard.