Using roles in my application to grant elevated controls

Hi all -

This may be covered in some of the quickstarts, but i’m not an auth guy, so I may just not understand what is what. I want to create a few roles that have specific privileges in my app. For example… we have a blog feature. I want to create a role called “ContentCreator”. In the React application I have a “New Blog” button that I want to only render if the person logged in has the role “ContentCreator”. Likewise… I’d like to create an “Admin” role that can delete objects in the app for housekeeping. For example… normally only if the owner of the blog matches the user, would we render a “Delete Blog” button. But, if the signed in user has the “Admin” role, they should also be able to see the “Delete Blog” button.

Make sense?

So… is this something I would/could do with Auth0 Roles? Or do I need to set this up as user attributes in my database? If in Auth0… how?

Thanks!
-tom

Hi @tom15,

Welcome to the Community!

You can add roles to the tokens, then you can see what roles the user has and render the UI you’d like based on that.

Here is a doc that has an example of how to add roles to the token:

Hi @dan.woda - Thanks for the reply. I read that post. The part I’m confused about is it talks about enabling “Enable RBAC for API”, but I don’t want to use this in an API… I want to use it in my core application (my react app).

Can I do this if I’m not using it for API access?

You can still use roles in your react app, even though they are intended to be associated to permissions. This can help you render the correct UI elements like you mentioned.

How are you going to restrict a user from being able to create/edit/delete a blog? Are you checking the tokens in your backend?

Yes… both on the front end and back end. I have set up an Auth0 API for my Dgraph/Graphql server as well as my URL signer API (a separate REST API that just creates short lived signed URL’s for a secure object store). I just want to conditionally render some objects in my front end based on role.

That all sounds correct. Let me know if you have any more questions about it.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.