> ## Documentation Index
> Fetch the complete documentation index at: https://auth0.com/llms.txt
> Use this file to discover all available pages before exploring further.

> Learn how to use the Access Hook with the Delegated Administration Extension.

# Delegated Administration: Access Hook

Because the Filter Hook only applies filtering logic, you'll need a second layer of logic to determine if the current user (or the person acting as the administrator) is allowed to access a specific user.

To learn more about the Filter Hook, read [Delegated Administration: Filter Hook](/docs/customize/extensions/delegated-administration-extension/delegated-administration-hooks/delegated-administration-filter-hook).

The **Access Hook** allows you to determine if the current user is allowed to read, delete, block, unblock, or update a specific user.

## Hook contract

* **ctx**: Context object.

  * **payload**: Payload object.

    * **action**: Current action (e.g., **delete:user**) that is being executed.
    * **user**: User on which the action is being executed.
* **callback(error)**: Callback to which you can return an error if access is denied.

## Sample use

Kelly manages the Finance department, and she should only be able to access users within her department.

```javascript lines theme={null}
function(ctx, callback) {
  if (ctx.payload.action === 'delete:user') {
    return callback(new Error('You are not allowed to delete users.'));
  }

  // Get the department from the current user's metadata.
  var department = ctx.request.user.app_metadata && ctx.request.user.app_metadata.department;
  if (!department || !department.length) {
    return callback(new Error('The current user is not part of any department.'));
  }

  // The IT department can access all users.
  if (department === 'IT') {
    return callback();
  }

  ctx.log('Verifying access:', ctx.payload.user.app_metadata.department, department);

  if (!ctx.payload.user.app_metadata.department || ctx.payload.user.app_metadata.department !== department) {
    return callback(new Error('You can only access users within your own department.'));
  }

  return callback();
}
```

## Notes

If this hook is not configured, all users will be accessible to the current user.

The Hook supports the following action names (which you set using as the value for **ctx.payload.action**):

* read:user
* delete:user
* reset:password
* change:password
* change:username
* change:email
* read:devices
* read:logs
* remove:multifactor-provider
* block:user
* unblock:user
* send:verification-email

## Learn more

* [Delegated Administration: Filter Hook](/docs/customize/extensions/delegated-administration-extension/delegated-administration-hooks/delegated-administration-filter-hook)
* [Delegated Administration: Memberships Query Hook](/docs/customize/extensions/delegated-administration-extension/delegated-administration-hooks/delegated-administration-memberships-query-hook)
* [Delegated Administration: Settings Query Hook](/docs/customize/extensions/delegated-administration-extension/delegated-administration-hooks/delegated-administration-settings-query-hook)
* [Delegated Administration: Write Hook](/docs/customize/extensions/delegated-administration-extension/delegated-administration-hooks/delegated-administration-write-hook)