Authorization Core vs. Authorization Extension
Auth0 currently provides two ways of implementing role-based access control (RBAC): our Core implementation and our Authorization Extension, which will be deprecated. Our Core implementation improves performance and scalability.
We recommend using Authorization Core for most implementations. If you are looking to represent teams, business customers, or partners in a B2B or SaaS application, we recommend representing them as Organizations and using Authorization Core. The Authorization Extension does not have support for Organizations.
To help you decide which feature is right for your implementation, we present the differences between the two:
Feature | Authorization Core | Authorization Extension |
---|---|---|
Enhanced performance and scalability | Yes - Read Entity Limit Policy | No - Limited to 500KB of data (1000 groups, 3000 users, where each user is a member of 3 groups; or 20 groups, 7000 users, where each user is a member of 3 groups) |
Create/edit/delete Roles | Yes | Yes |
Roles can contain permissions from one or more APIs | Yes | No |
Users and Roles can be assigned to Groups | No | Yes |
Roles are attached to specific applications | No | Yes |
Create/edit/delete Users | Yes | Yes |
Search Users by user, email, connection | Yes | Yes |
Search Users by identity provider, login count, last login, phone number | Yes | No |
Search Users using Lucene syntax | Yes | No |
User import/export via JSON | Not currently | Yes |
Create custom authorization policies | Yes | No |