Delegated Administration Extension v3
The Delegated Administration Extension (DAE) allows you to grant administrative permissions to a select group of people without providing access to any other area.
Configure the DAE
To configure the DAE, you must:
Register the application with Auth0
Create the Application that the Delegated Administration Extension will expose to those who should have administrative privileges for the Users page. To do this, create a delegated admin application in Auth0.
When finished, note the application's Client ID.
Create a database connection
In this example, a database connection will serve as the source of your users who are allowed access to the Users area. To configure this, create a database connection.
While setting up your connection:
Use a fitting connection name, such as
HelpDesk
.Enable the Disable Sign Ups toggle. For security purposes, this ensures that even users who have the link to the database connection cannot sign themselves up.
Disable all other connections for the Auth0 application
By default, Auth0 enables all connections associated with your tenant when you create a new Application. For this example, disable all connections other than your newly-created database connection. This helps keep the application secure because no one can add themselves using one of your existing connections.
To configure this, update application connections.
Create users for the database connection
To continue, you must create at least one user and attach it to your connection.
Assign roles to users
Auth0 grants access to the Delegated Administration Extension (DAE) for the user(s) attached to your connection based on their roles. These are DAE-specific roles:
This role... | Grants permission to... |
---|---|
Delegated Admin - User |
Search for users, create users, open users, and execute actions on users (such as delete or block). |
Delegated Admin - Administrator |
Do everything that the Delegated Admin - User can, plus see all logs in the tenant and configure Hooks. |
Delegated Admin - Auditor |
Search for users and view user information, but not make changes. Action-based buttons are not visible to this role. |
Delegated Admin - Operator |
Access user management and logs, but not the extension configuration section. |
When working with roles, we recommend that you use the Authorization Core feature set:
Create DAE roles. The names of the roles you create must match the names of the pre-defined DAE roles above.
Add user roles to the DAE namespace in the ID Token using Actions:
exports.onExecutePostLogin = async (event, api) => { const namespace = `https://{yourTenant}/auth0-delegated-admin`; if (event.client.client_id === 'CLIENT_ID' && event.authorization) { api.idToken.setCustomClaim(namespace, { "roles": event.authorization.roles }); } };
Was this helpful?
/
Remember to replace the CLIENT_ID
placeholder with your delegated admin application's Client ID and replace {yourTenant}
with your tenant name. For example, if your tenant's name is "tenant_name_example", the namespace would be: https://tenant_name_example/auth0-delegated-admin
To learn more about creating Actions, read Write Your First Action
Install and configure the extension
Now that we've created and configured an application, a connection, and our user, we can install and configure the Delegated Admin Extension itself.
Use the extension
Once installed, you are ready to use the Delegated Admin Extension.
Navigate to the extension using the appropriate login link for your region and your tenant's extensibility runtime.
Location | Name | Login Link |
---|---|---|
Australia | AU | https://{yourTenant}.au.webtask.io/auth0-delegated-admin |
Europe | EU | https://{yourTenant}.eu.webtask.io/auth0-delegated-admin |
Europe | EU-2 | https://{yourTenant}.eu.webtask.run/auth0-delegated-admin |
Japan | JP-1 | https://{yourTenant}.jp.webtask.run/auth0-delegated-admin |
UK | UK | https://{yourTenant}.uk.webtask.run/auth0-delegated-admin |
USA | US-1 | https://{yourTenant}.us.webtask.io/auth0-delegated-admin |
USA | US-3 | https://{yourTenant}.us.webtask.run/auth0-delegated-admin |
A new tab opens, displaying the login prompt.
Because (in this example) we disabled signups for the database connection while configuring it, the login screen does not display a Sign Up option. Once you provide valid credentials, Auth0 directs you to your custom Delegated Administration Dashboard page, which has the Title you provided at the top of the page and (if you provided a custom CSS file), your design.
Delegated Administration session timeout
By default, token expiration time is 10 hours. However, for security reasons, when using Delegated Administration, Auth0 doesn't save a token to cookies or sessionStorage
. You must start a new session on each page reload.