Announcing Strapi 3.1 - Administrator Roles & Permissions

Role-Based Access Control (RBAC) is a well-known feature to anyone working with Content Management Systems (CMS) or any web application/platform. Today we’re very excited to announce that this feature is available to all Strapi users in the latest version of Strapi (v3.1). The full changelog can be found in the repository here.

We’d like to give a special shout out to @JelmerV-WFC, @shaheinm, @AHgPuK for their contributions in this release:

• Possibility to combine filters with search #6865
• Make Strapi GraphQL an implementing service for Federation #6146
• Media Lib improvements #5971

Until today, Strapi admin users either had full access to all settings and content-types or none. With this new feature, you now have the option to define the privileges each admin user should have based on their roles.

Some of you might be wondering how this is different from the Roles & Permission plugin already available by default in Strapi, although the names are a bit confusing the difference is actually very simple. That plugin is only directed towards end-users i.e someone who has an account on your site to leave a comment in our article, not admin users who have access to the Strapi admin panel. The Roles & Permissions plugin and its capabilities remain totally unchanged.

Role-Based Access Control - Basic vs Advanced

RBAC is not only important to enterprise users but pretty much all of our users, as it is a fairly standard CMS capability. However, from conversations we had with Strapi users, the required level of granularity for these roles & permissions varied greatly based on the profile of our users.

On one hand, advanced capabilities are often needed by enterprises for security and governance purposes. Large companies often require these privileges to be managed from Single Sign-On (SSO) or Active directory that controls authorization to all accounts and applications from a single service. Stay tuned for more information on that topic in the coming months.

On the other hand, what personal bloggers and startups really need are more basic RBAC capabilities allowing them to effectively manage permissions for small teams of authors and editors with very limited security or governance requirements.

For that reason, and instead of limiting the number of admin users in Strapi Community Edition (CE), we decided to make the basic RBAC capabilities available to all, while making more advanced capabilities only available to Strapi Enterprise Edition (EE) customers. Please refer to this blog post for more information on our vision for Strapi EE and paid Plans.

Let’s take a closer look at the basic and advanced RBAC capabilities available in Strapi today.

The basic RBAC feature available in Strapi CE includes an unlimited number of admin users and 3 default roles (Super Admin, Editor, Author) with customizable access to specific Collection & Single Types.

The advanced RBAC feature available in Strapi EE Silver and Gold allows you to create an unlimited number of custom roles (add a new role, edit, delete an existing role) and high level of granularity (down to the field level) for a series of specific actions (Create, Read, Update, Delete, Publish).

How to create and manage new roles & permissions in Strapi

In this example, we will create 4 users with obvious names: they will all be granted with different levels of permissions:

• John SuperAdmin will be granted SuperAdmin access.
• John Editor will have Editor level permissions
• And John Author and John Authorbis will both have Author permissions.

The Roles & Permissions settings can be configured in Settings > Permissions > Roles. Note that this is not in the Roles and Permissions plugin section, which still handles the users' permissions in the final application.

In Strapi Community Edition, 3 roles are available:

• Super-Admin: Super Admins can access and manage all features and settings.
• Editor: Editors can manage and publish content including those of other users.
• Author: Authors can manage and publish only the content they created.

Roles and Permissions settings view

In the User section of the Permissions settings, you will find all your users and be able to configure them. On user creation, you will have access to a generated URL link that you’ll be able to send to your new user to register.

The Settings menu can only be accessed by the Super Admin, the Settings link in the menu is not shown to Editors and Authors. The first user created when you first log in your application will always be a Super Admin.

Authors can only access their own content.

The Editors can manage, access, and publish any content created by any users when Authors can only access their own content.

In the example video below, one article has been created by John SuperAdmin, and one has been created by John Author. John Author will only see his own article in his administration interface, when John Authorbis, will see none.

In the Enterprise edition, Roles creation is unlimited. Role Control is also more advanced, with a high level of granularity options, allowing you to configure CRUD operations for any field available in any content type. In our example, we will create an Analyst role, assign this role to John Authorbis, and limit the permissions to read-only for the field Amount of the Collection Type Billings.

Permissions can be given at any level, for any field and for any entry. You can now easily have multiple users working on the same projects without any chance of interacting with data that they’re not supposed to.

Custom Conditions

You can even go one step further by defining your own conditions of permissions for any users. For example, let’s define a condition allowing access only to Billings where the Amount is lower than 10K.

To do so, open the config/functions/bootstrap.js file, and add the following code:

1module.exports = () => {
2 strapi.admin.services.permission.conditionProvider.register({
3 displayName: 'Billing amount under 10K',
4 name: 'billing-amount-under-10k',
5 plugin: 'admin',
6 handler: { amount: { $lt: 10000 }},
7 });
8};

After restarting the server, you’ll see the new condition in the Roles settings as follows:

Logical filtering operators

In this new release, we are also introducing a new way of filtering your data. You will now be able to use logical operators AND and OR to build complex queries without the need for custom code.

AND operators

Restaurants that have 1 stars and a pricing less than or equal to 20:

1const query = qs.stringify({
2  _where: [{ stars: 1 }, { pricing_lte: 20 }],
3});
4
5await request(`/restaurants?${query}`);
6// GET /restaurants?_where[0][stars]=1&_where[1][pricing_lte]=20

OR operator

Restaurants that have 1 stars OR a pricing greater than 30:

1const query = qs.stringify({ _where: { _or: [{ stars: 1 }, { pricing_gt: 30 }] } });
2
3await request(`/restaurant?${query}`);
4// GET /restaurants?_where[_or][0][stars]=1&_where[_or][1][pricing_gt]=30

This will allow you to create more diverse and friendlier experiences for your users. You can find the documentation on how the filtering works and examples here: https://strapi.io/documentation/v3.x/content-api/parameters.html

Let's get started

If you already have a Strapi project, a fully detailed migration guide is available. You can also check the changelog here.

If you are new to Strapi, just give it a try!

Take a look at the Getting Started guide to jump on board, or get started with the following command line:

yarn create strapi-app my-app --quickstart

or

npx create-strapi-app my-project --quickstart

Get involved

Check out our public product roadmap to see what features we’ll be working on next. Don’t see a feature you’d like in the backlog? Feel free to submit new feature requests or even better, start contributing to Strapi on GitHub. All contributions and users are welcome!