User's Access to Applications

Aafreen_Khan · September 27, 2023, 12:57pm

Hi community,
@rueben.tiow @dan.woda @dawid.matuszczyk

I have a question related to the application access control.

According to my understanding all the users can access an application who belong to the connection which is enabled/configured into the application.
Please let me know if its otherwise.
My scenario is that i have 2 applications: Application A and Application B.
And my requirement is that i do not want users of my Application A to be able to access the Application B and vice versa.

tyf · September 27, 2023, 11:56pm

Hey @Aafreen_Khan !

This is correct - You could have a separate user store (connection) per application and only enable one for each application.

Alternatively, you could look into using a combination of RBAC and Actions. Essentially, in a Post Login Action you would want to check a user’s roles (event.authorization.roles) and then deny (api.access.deny) accordingly.

Lastly, the following docs outlines how to use an allow list based on user emails:

Aafreen_Khan · October 11, 2023, 10:14am

Hi @tyf

Thanks a lot for your suggestions.
we have tried the second method suggested by you to “Permit or Deny login Requests using Auth0 Actions” and it worked. However, we have used Rules as of now instead of Action.
Now the only question remains related to this is:
We need to provide a list of whitelisted email ids of the users whom we want to authorize to a particular application. This is basically hardcoding these email ids into the Rule/Action.
example: const whitelist = [‘xyz@abc.com’];
Is there any way to automate this/ remove the need of this hardcoding of emails into a list?
as it is also cumbersome as every time, we integrate a new app or add a new user to the app we will have to make changes in the Rule/Action code.

The code we have used in the rule is as below:

function userWhitelistForSpecificApp(user, context, callback) {
if (!user.email || !user.email_verified) {
return callback(new UnauthorizedError(‘Access denied.’));
}

//Application 1

if (context.clientName !== ‘XYZ’) {
return callback(null, user, context);
}

const whitelist = [‘xyz@abc.com’]; // authorized users
const userHasAccess = whitelist.some(function (email) {
return email === user.email;
});

if (!userHasAccess) {
return callback(new UnauthorizedError(‘Access denied.’));
}

//Applicaton 2

if (context.clientName !== ‘XYZ1’) {
return callback(null, user, context);
}

const whitelistAP = [‘abc@xyz.com’]; // authorized users
const userHasAccessAP = whitelist.some(function (email) {
return email === user.email;
});

if (!userHasAccessAP) {
return callback(new UnauthorizedError(‘Access denied.’));
}

callback(null, user, context);
}

Also the other method suggested by you to use the combination of RBAC and Actions is unfortunately still not that clear for us to try it.
Can you help us with a reference in the doc or shed some more light over it in a bit of details?

Waiting patiently.

Thanks and Regards,
Aafreen

system · October 25, 2023, 10:14am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.