This article provides steps to enable Role-Based Access Control (RBAC) for user roles within an Organization. 

• Auth0 Organization
• APIs
• Role-Based Access Control (RBAC)

To enable and utilize RBAC for user roles in Organizations: 

1. Enable the RBAC setting for the relevant APIs. This is the primary step for RBAC rules to apply to users in an Organization, similar to Core RBAC functionality.
   • Roles must be assigned to users within their specific Organization. This differs from Core RBAC, where roles are typically assigned at the tenant level.
   • When a user authenticates in the context of an Organization, only the roles assigned to that user within that Organization are applied.

2. If the RBAC setting is not enabled for the API:

• • Any permission requested by the application for that API is passed through in the scope claim of the issued Access Token.

  • This default behavior can be modified using a custom policy within an Action. Use the api.accessToken.addScope(scope) or api.accessToken.removeScope(scope) functions in a Post-Login Action. For further details, refer to the documentation on the Post-Login API Object. See the following example below: 

exports.onExecutePostLogin = async (event, api) => {
  // Example: Add 'write:documents' scope if user has 'editor' role

  const roles = event.authorization?.roles || [];

  if (roles.includes('editor')) {
    api.accessToken.addScope('write:documents');
    console.log(`User ${event.user.user_id} granted 'write:documents' scope.`);
  }

  // Example: Remove 'delete:everything' scope if requested (maybe too risky)
  if (event.transaction?.requested_scopes?.includes('delete:everything')) {
     api.accessToken.removeScope('delete:everything');
     console.log(`Removed potentially requested 'delete:everything' scope for user ${event.user.user_id}.`);
  }
};