Authorization Core vs. Authorization Extension
Auth0 currently provides two ways of implementing role-based access control (RBAC): our Core implementation and our Authorization Extension, which will be deprecated. Our Core implementation improves performance and scalability.
We recommend using Authorization Core for most implementations. To help you decide which feature is right for your implementation, we present the differences between the two:
Feature | Authorization Core | Authorization Extension |
---|---|---|
Enhanced performance and scalability | Yes - See Authorization Core RBAC Limits | No - Limited to 500KB of data (1000 groups, 3000 users, where each user is a member of 3 groups; or 20 groups, 7000 users, where each user is a member of 3 groups) |
Create/edit/delete roles | Yes | Yes |
Roles can contain permissions from one or more APIs | Yes | No |
Roles can be assigned to groups | Not currently | Yes |
Roles are attached to specific applications | No | Yes |
Create/edit/delete users | Yes | Yes |
Search users by user, email, connection | Yes | Yes |
Search users by identity provider, login count, last login, phone number | Yes | No |
Search users using lucene syntax | Yes | No |
Users can be assigned to groups | Not currently | Yes |
User import/export via JSON | Not currently | Yes |
Create custom authorization policies | Yes | No |