Dashboard Access by Role
As a tenant administrator, you can assign your team members roles to allow them to have limited access to Auth0 Dashboard features so they can complete their jobs without putting production applications at risk and complying with the least privilege principle.
You can assign the following roles for the Auth0 Dashboard:
|Admin||Read and write access to all resources in the Auth0 Dashboard.|
|Editor - Specific Apps||Read and write access to specific applications only.|
|Editor - Connections||Read, write, and create access to all types of connections.|
|Editor - Users||User management operations (create, delete, block, unblock, reset MFA, reset password, update metadata, assign roles, etc.) and access to logs.|
|Viewer - Users||Read-only access to users and logs.|
|Viewer - Config||Read-only access to all configuration settings (applications, APIs, rules, security settings, etc.) except for sensitive information such as secrets, billing, users, and logs.|
Tenant members with less privileged roles will have a restricted Dashboard experience and they will have access only to the sections and actions they can perform. The following table shows the specific feature permissions for each role.
|Dashboard Section||Subsection||Admin||Editor - Specific Apps||Editor - Connections||Editor - Users||Viewer - Users||Viewer - Config|
|Applications||Applications||✍||✍ *¶||❌||❌||❌||👁 ‡|
|SSO integrations||✍||✍ *¶||❌||❌||❌||👁 ‡|
|Authentication||Database||✍||❌ †||✍||❌||❌||👁 ‡|
|Social||✍||❌ †||✍||❌||❌||👁 ‡|
|Email Providers||✍||❌||❌||❌||❌||👁 ‡|
|Multi-factor Auth||✍||❌||❌||❌||❌||👁 ‡|
|Auth Pipeline||Rules||✍||❌||❌||❌||❌||👁 ‡|
|Monitoring||Logs||✅||❌||❌||👁 §||👁 §||❌|
|Get Support||Support Tickets||✅||✅||✅||✅||✅||✅|
|†||Previously available for Application Admin role but removed from Editor Specific Apps role|
Log events available to user roles
Logs can contain sensitive data, such as secrets, PII, etc. It is important not to disclose sensitive data to users whose role does not require that information. However, the Editor - Users or Viewer - Users roles need to have some access to logs to identity user issues. For example, finding out if the user signed up correctly, if the user was blocked, etc.
We allow the Editor - Users and Viewer - Users with access to a limited set of log types, that are connected to user events. The log events in the list provide the necessary information about user actions but do not disclose sensitive information about other parts of the tenant configuration. For more details about these events, see Log Event Type Codes.
f fcp fcpr fdeac fdeaz fdecc feacft fede fens flo fn fp fs fsa fu fv fvr gd_auth_failed gd_auth_rejected gd_auth_succeed gd_enrollment_complete gd_otp_rate_limit_exceed gd_recovery_failed gd_recovery_rate_limit_exceed gd_recovery_succeed gd_send_email gd_send_email_failure gd_send_pn gd_send_pn_failure gd_send_sms gd_send_sms_failure gd_send_voice gd_send_voice_failure gd_start_auth gd_start_enroll gd_tenant_update gd_unenroll gd_update_device_account limit_mu limit_wc pwd_leak s scoa scp scpr sercft slo ss ssa ublkdu w
Users with Admin role can invite Editor - Specific Apps users to one application at a time. To work around this, after the user accepts the invitation, the Admin user can edit their role to assign multiple applications.
The Viewer - Users and Editor - Users roles don't have access to the Users's Devices and Authorized Apps sections.
Private Cloud requirements
Be aware that the Editor - Users and the Viewer - Users roles depend on User Search v3 and Logs Search v3 to be enabled in your environment. If your environments doesn’t support these versions, these two roles will be unavailable.