Authorization Core vs. Authorization Extension
Auth0 currently provides two ways of implementing role-based access control (RBAC): our Core implementation and our Authorization Extension, which will be deprecated. Our Core implementation improves performance and scalability.
We recommend using Authorization Core for most implementations. If you are looking to represent teams, business customers, or partners in a B2B or SaaS application, we recommend representing them as Organizations and using Authorization Core. The Authorization Extension does not have support for Organizations.
To help you decide which feature is right for your implementation, we present the differences between the two:
|Feature||Authorization Core||Authorization Extension|
|Enhanced performance and scalability||Yes - See Authorization Core RBAC Limits||No - Limited to 500KB of data (1000 groups, 3000 users, where each user is a member of 3 groups; or 20 groups, 7000 users, where each user is a member of 3 groups)|
|Roles can contain permissions from one or more APIs||Yes||No|
|Roles can be assigned to groups||Yes||Yes|
|Roles can be assigned to user groups||No||Yes|
|Roles are attached to specific applications||No||Yes|
|Search users by user, email, connection||Yes||Yes|
|Search users by identity provider, login count, last login, phone number||Yes||No|
|Search users using lucene syntax||Yes||No|
|Users can be assigned to groups||Yes - use Organizations||Yes - if using Organizations|
|User import/export via JSON||Not currently||Yes|
|Create custom authorization policies||Yes||No|