Delegated Administration Extension v3
Auth0 recommends that you use the Tenant Members settings to designate tenant usage capabilities to other users and admins in your organization. To learn more, read Dashboard Access.
The Delegated Administration Extension (DAE) allows you to grant administrative permissions to a select group of people without providing access to any other area.
Configure the DAE
To configure the DAE, you must:
Register the application with Auth0
Create the Application that the Delegated Administration Extension will expose to those who should have administrative privileges for the Users page. To do this, create a delegated admin application in Auth0.
When finished, note the application's Client ID.
Create a database connection
In this example, a database connection will serve as the source of your users who are allowed access to the Users area. To configure this, create a database connection.
While setting up your connection:
Use a fitting connection name, such as
HelpDesk.Enable the Disable Sign Ups toggle. For security purposes, this ensures that even users who have the link to the database connection cannot sign themselves up.
Disable all other connections for the Auth0 application
By default, Auth0 enables all connections associated with your tenant when you create a new Application. For this example, disable all connections other than your newly-created database connection. This helps keep the application secure because no one can add themselves using one of your existing connections.
To configure this, update application connections.
Create users for the database connection
To continue, you must create at least one user and attach it to your connection.
Assign roles to users
Although the Delegated Administration Extension (DAE) and the Authorization Core feature set are completely separate features, you can use the Authorization Core feature set to create and manage roles for the DAE using Actions. To learn how, see Sample Use Cases: Actions with Authorization.
When logging in as a user using Organizations with Delegated Administration Extension (DAE), your user roles will not be available. Only your Organization member roles will be available within event.authorization.roles. To add roles to Organization members, read Add Roles to Organization Members.
Auth0 grants access to the Delegated Administration Extension (DAE) for the user(s) attached to your connection based on their roles. These are DAE-specific roles:
| This role... | Grants permission to... |
|---|---|
Delegated Admin - User |
Search for users, create users, open users, and execute actions on users (such as delete or block). |
Delegated Admin - Administrator |
Do everything that the Delegated Admin - User can, plus see all logs in the tenant and configure Hooks. |
Delegated Admin - Auditor |
Search for users and view user information, but not make changes. Action-based buttons are not visible to this role. |
Delegated Admin - Operator |
Access user management and logs, but not the extension configuration section. |
When working with roles, we recommend that you use the Authorization Core feature set:
Create DAE roles. The names of the roles you create must match the names of the pre-defined DAE roles above.
Add user roles to the DAE namespace in the ID Token using Actions:
exports.onExecutePostLogin = async (event, api) => { const namespace = `https://{yourTenant}/auth0-delegated-admin`; if (event.client.client_id === 'CLIENT_ID' && event.authorization) { api.idToken.setCustomClaim(namespace, { "roles": event.authorization.roles }); } };Was this helpful?
/
Remember to replace the CLIENT_ID placeholder with your delegated admin application's Client ID and replace {yourTenant} with your tenant name. For example, if your tenant's name is "tenant_name_example", the namespace would be: https://tenant_name_example/auth0-delegated-admin
To learn more about creating Actions, read Write Your First Action
Auth0 returns profile information in a structured claim format as defined by the OpenID Connect (OIDC) specification. This means that custom claims added to ID tokens or access tokens must conform to guidelines and restrictions to avoid possible collisions.
Using Authorization Core will define roles in the context.authorization object.
If you choose not to use Authorization Core, you should define DAE roles in one of the following fields on the user profile:
user.app_metadata.rolesuser.app_metadata.authorization.roles
Install and configure the extension
Now that we've created and configured an application, a connection, and our user, we can install and configure the Delegated Admin Extension itself.
Use the extension
Once installed, you are ready to use the Delegated Admin Extension.
Navigate to the extension using the appropriate login link for your region and your tenant's extensibility runtime.
| Location | Name | Login Link |
|---|---|---|
| Australia | AU | https://{yourTenant}.au.webtask.io/auth0-delegated-admin |
| Europe | EU | https://{yourTenant}.eu.webtask.io/auth0-delegated-admin |
| Europe | EU-2 | https://{yourTenant}.eu.webtask.run/auth0-delegated-admin |
| Japan | JP-1 | https://{yourTenant}.jp.webtask.run/auth0-delegated-admin |
| UK | UK | https://{yourTenant}.uk.webtask.run/auth0-delegated-admin |
| USA | US-1 | https://{yourTenant}.us.webtask.io/auth0-delegated-admin |
| USA | US-3 | https://{yourTenant}.us.webtask.run/auth0-delegated-admin |
A new tab opens, displaying the login prompt.
Because (in this example) we disabled signups for the database connection while configuring it, the login screen does not display a Sign Up option. Once you provide valid credentials, Auth0 directs you to your custom Delegated Administration Dashboard page, which has the Title you provided at the top of the page and (if you provided a custom CSS file), your design.
Delegated Administration session timeout
By default, token expiration time is 10 hours. However, for security reasons, when using Delegated Administration, Auth0 doesn't save a token to cookies or sessionStorage. You must start a new session on each page reload.