In our previous post, we explored the core aspects of establishing a robust identity system for Business-to-Business (B2B) applications, including multi-tenancy, and customer and user onboarding. We discussed how Auth0's Organizations feature provides the necessary structure to isolate customer data and streamline initial setup.
Once you have the foundation of user management in place in your B2B application, the next critical challenge emerges: not all users within an organization should have the same access. A CEO needs different access than a junior analyst, and an admin for one customer’s Organization should certainly not have access to another customer’s Organization.
This article will dive into the critical realm of authorization, examining how to implement granular access control within your B2B Software-as-a-Service (SaaS) application and how Auth0 helps you achieve this with confidence.
Using Role-Based Access Control (RBAC)
So the new challenges for a B2B SaaS developer now are: How do I give different users within an organization different permissions and ensure that these permissions are scoped to their specific organization?
As I recall helping build a B2B SaaS application, we had a raw version of RBAC implemented. In practice, we simply had roles attached to users and our code checked whether a given user had a specific role before granting access to a resource. This worked well enough in simple cases, but it wasn’t particularly flexible. If we added a new role, we had to change the existing code to include it in our authorization evaluations, even if the new role was only slightly different from an existing role — perhaps by one less permission. Raise your hand if you've found yourself in the same situation.
Auth0's RBAC support is out of the box and integrates well with Organizations. Essentially, a role is just a set of permissions identified by a name. These permissions can then be included in the user's access token or ID token, allowing your application's backend or frontend to enforce access policies. Your code doesn’t even need to know about roles, giving the administrator the freedom to aggregate existing permissions into new roles without any changes to your application code.
In addition, Auth0 allows you to assign roles to users within the context of a specific Organization. This enables you to deal with scenarios where users are members of multiple Organizations (not common, but possible). In such a scenario, the user "John Doe" can be an Admin for the "Acme Corp." organization but only a Viewer for the "Widgets Inc." organization, which prevents permission bleeding across your customer base.
Here are some resources on RBAC:
Beyond Roles: ABAC and ReBAC for Complex Scenarios
While RBAC is pretty good for many scenarios, you might encounter situations where access needs are more dynamic or granular than a simple role can convey. Consider the case where access to a resource is based not only on user permissions but also on user attributes, such as the department they belong to, or time constraints, such as working hours.
In this case, the challenge becomes: What if I need more dynamic access control based on user attributes or relationships to specific data?
To correctly manage these scenarios you need to explore advanced authorization models like Attribute-Based Access Control (ABAC) and Relationship-Based Access Control (ReBAC).
Instead of defining permissions for roles, ABAC defines access rules based on attributes of the user (e.g., the user’s department or location), the resource being accessed (e.g., the type of document), and the environment (e.g., the hour of the day or the IP address). Auth0 can help gather these attributes and include them in tokens, and you can use Auth0 Actions to dynamically add claims based on external data sources. The enforcement logic then resides in your application or a dedicated authorization service.
ReBAC focuses on the relationships between entities. Think of social networks: "Can user A see user B's post?" Yes, if "user A is a friend of user B". In a SaaS context, this could be: "Can user X access document Y?" Yes, if "user X is the owner of document Y" or "user X is a member of the project that contains document Y".
ReBAC requires a graph database or a specialized authorization service to model and query these relationships effectively. While Auth0 itself isn't a ReBAC enforcement engine, it provides the identity foundation and can integrate with external ReBAC systems like Auth0 Fine-Grained Authorization.
For most B2B SaaS applications, a well-designed RBAC system, possibly enhanced with some attribute checks, is sufficient. However, understanding ABAC and ReBAC prepares you for scenarios where your application's authorization needs grow.
Check out the following documentation to learn more about ABAC, ReBac, and FGA:
Conclusion
In this second part of our "B2B SaaS Identity Challenges" series, we’ve tackled the crucial aspect of granular access control. We moved beyond basic user management to explore how Role-Based Access Control (RBAC) helps define and enforce permissions within Organizations, and how Auth0's out-of-the-box RBAC support simplifies this for developers. We also touched upon advanced authorization models like ABAC and ReBAC, preparing you for more complex access scenarios.
While defining who can do what is essential, the real-world demands of enterprise customers extend beyond internal permissions. They require seamless integration with their existing IT infrastructure and a commitment to advanced security measures. In our next article, we will delve into critical topics like Single Sign-On (SSO), delegated administration, and robust threat protection, addressing the expectations of your largest customers.
About the author
Andrea Chiarelli
Principal Developer Advocate
I have over 20 years of experience as a software engineer and technical author. Throughout my career, I've used several programming languages and technologies for the projects I was involved in, ranging from C# to JavaScript, ASP.NET to Node.js, Angular to React, SOAP to REST APIs, etc.
In the last few years, I've been focusing on simplifying the developer experience with Identity and related topics, especially in the .NET ecosystem.