The moment so long awaited by many Strapi users is here. Strapi custom roles and permissions (also known as RBAC) is available in the community edition starting from v4.8. For free. Without limitations.

Custom roles and permissions available for free

Before Strapi v4.8, the free Community Edition RBAC was limited to only three predefined roles: SuperAdmin, Editor, and Author. Granular and custom roles and permissions were only available in the Enterprise Edition, with a limitation on the number of users for each plan.

After listening to the community feedback and analyzing the Strapi pricing model, we have decided to sunset the Strapi Enterprise Bronze or Silver plans and remove the limitations on the RBAC feature. As of today, all Strapi users who migrate to v4.8 are able to create an unlimited number of custom roles and permissions. We believe that this feature is indispensable to build efficient and secure content management processes and it should be accessible to all Strapi users and plugin developers.

What are custom roles and permissions?

Custom roles and permissions is one of the most powerful Strapi features, which provides Role-Based Access Control (RBAC) for users and groups.

RBAC is a security model that defines the permissions and actions that each user or group can perform within an application. This model provides a granular level of control over what fields, content types, plugins or settings users can access, edit, create, or delete within an application.

Role-Based Access Control allows you to create custom roles that are tailored to specific user needs. This means that you can define what actions a user can take within an application, based on their role, without having to give them full access to the entire system.

It also allows you to define custom conditions of permissions for any user. For example, you can define "field level" condition allowing access only to "invoices" where the amount is lower than $15K. If the Internationalization plugin is installed, you can define which authors should be granted privileges to update the "English" locale.

This level of granularity and flexibility is what makes the Strapi Role-Based Access Control system stand out from the competition. Please have a look at the documentation and this article about best practices to learn more.

Best practices & use cases

This security feature is often a must-have in a wide range of industries and projects, including financial services, retail, telecom, government, healthcare, retail and more.

If you're looking to develop a Strapi application for managing a network of franchises, partner portals, or any distributed network and global communities comprising multiple subgroups or entities, this feature would prove extremely beneficial.

Here are some of the best practices on how to make most out of custom roles and permissions:

• Define roles based on user needs: Define roles based on what users need to do within the application, rather than creating roles based on job titles or department names.

• Limit permissions: Limit permissions to only what users need to do their job. Don't give users access to features or data that they don't need.

• Enforce the lowest level of permissions first: each role should be strictly based on each contributor's responsibilities. Reduce risk, both from malicious intent and user errors by following the principle of least privilege.

• Add granular CRUD permissions for each field: Set different permissions for each field in any content type for any Create, Read, Update or Delete operation.

• Regularly review permissions: Regularly review permissions to ensure that users only have access to what they need. Remove permissions for users who no longer need them.

• Use groups: Use groups to assign roles to multiple users at once, rather than assigning roles to individual users. This makes it easier to manage permissions for large numbers of users.

• Audit permissions: Audit permissions regularly to ensure that they are being used appropriately. Check for any unusual or suspicious activity that may indicate a security breach.

Strapi Enterprise plans update

We've recently announced changes to the Strapi Enterprise plans. Apart from custom roles and permissions becoming available in the Community Edition, here's what you need to know:

• We've sunsetted the Strapi Enterprise Bronze and Silver on March 1st, 2023.

• The Strapi Enterprise Gold plan is renamed Strapi Enterprise.

• Bronze and Silver customers have until their renewal date to transition to Strapi Cloud (a new managed platform to boost your team velocity), Strapi Enterprise or Strapi Community Edition v4.8 and upcoming versions.

• If your subscription period ends soon and you absolutely need the RBAC feature but can't migrate to Strapi v4.8, please send an email to support@strapi.io.

• We are introducing the concept of "Seats" in our pricing model to align with our Strapi Cloud offering and avoid current confusion around the definition of Admin Users.

• A new audit logs feature is now available in Strapi Enterprise.

If you have any questions regarding the Strapi Enterprise Edition, please have a look at this article or contact us directly:

• Contact sales to learn more about the Enterprise Edition

• Customers can contact support@strapi.io directly

New plugins on Strapi Market

The Strapi marketplace now lists more than 100 plugins, providers and custom fields. We thank all community members for contributing their work, allowing other Strapi users to easily extend their app.

Here are the new plugins, available on the Strapi Market:

• ChatGPT by @AsyncWeb - integrate ChatGPT into your Strapi application. You get both a UI to interact with ChatGPT and an API end-points to integrate into your applications.

• Video custom field by @SKILNET - allows you to preview, and add videos with external sources to your application.

• Open AI - an official Strapi plugin that allows you to create Open AI completion from a prompt.

• Image color palette by @codymx - a plugin that extends image uploads to generate and attach a color palette to the schema when uploaded.

Get your plugin or provider listed on the Strapi Market and showcase your work to more than 20,000 monthly visitors. Here are all the resources you need to create and promote a plugin or provider and the submission form for listing it on the marketplace.

Join the monthly Community Call

Meet the Strapi team members who worked on the latest feature, share your feedback, ask questions, and learn what’s coming next.
Join us on March 23rd, 10AM CST.

Try Strapi v4.8 out now

To create a new Strapi v4.8 project, simply run the following command:

npx create-strapi-app my-project --quickstart

Follow the Quick Start Guide for detailed step-by-step instructions or have a look at a video instruction.

We would love to hear what you think about the new features! Let us know in this forum thread.

Other updates:

• Strapi Cloud is live

• Audit logs improvements, Data Transfer in Strapi v4.7

• Relations and component reordering, data export & import, audit logs in Strapi v4.6

Building Strapi together

Strapi is an open-source product that grows thanks to community support and contributions.

Here's how you can help us improve the product:

• Contribute to the project on Github

• Share what features you'd love to have in our public roadmap

• Create Strapi plugins and submit them to the Strapi market

• Showcase the projects you built in Strapi Showcase

• Join the Strapi Cloud Beta program

We appreciate each contribution and piece of feedback that you share. Stay tuned for more updates!