Strapi introduced the Role-Based Access Control feature, and with any Enterprise Edition plan, you can create unlimited custom roles. In this article, you will learn what custom roles are and what are the best practices for creating them.
Simply copy and paste the following command line in your terminal to create your first Strapi project.
npx create-strapi-app my-project
Smooth publishing with different roles and permissions. The Role-Based Access Control (RBAC) feature is designed to help maximize operational efficiency, reduce dev team support work, safeguard against unauthorized access or configuration modifications, and make it easier to meet publication deadlines. The practice of assigning each user the precise amount of privileges to perform their jobs and nothing more is one of the most fundamental security principles and allows contributions from external users.
Strapi EE RBAC introduces the possibility to create an unlimited number of custom roles, regardless of your plan. Companies can add a new role, edit, or delete an existing role for a series of specific actions (Create, Read, Update, Delete, Publish) for any operations (locales, plugins, etc) and down to the field level.
Each organization has different requirements and operational processes. Oftentimes, the predefined 3 default build-in roles won’t be specific enough. They either grant too few or too many privileges that each user needs to undertake. To resolve this problem, Strapi Enterprise Edition allows you to create custom roles that give exactly the precise privileges based on your users’ responsibilities at a more fine-grained level.
A role is a collection of permissions and operation actions that you can apply to users. Using roles makes it easier to add, remove, and adjust permissions rather than assigning permissions to users or user groups. As your user base increases in scale and complexity, roles become particularly useful.
Predefined Default Roles
Strapi Enterprise Edition supports the same predefined roles available in the Community Edition: SuperAdmin, Editor, and Author. They are the most commonly used roles in most organizations. The permissions of these roles have been predefined and can be directly assigned to individual users or user groups.
SuperAdmin roles will have all the privileges and permissions for the entire system. Editor roles will have the Create, Read, Update, Delete, and Publish privileges. Author roles will have the same privileges, but only on their own content.
One of the main goals of RBAC is to only grant contributors the access they need to do their missions and prevent them from having irrelevant access. A well-designed RBAC system also simplifies and streamlines the administration of access.
The best practice to implement custom roles is to start by considering the roles for each contributor in the publishing process in your agency, company, or your client’s company. This way, you will mimic your organizational structure inside your Strapi Admin panel. You can then consolidate or break out roles as needed based on how people in different job functions are meant to use Strapi.
The role that will be defined should be strictly based on each contributor’s responsibilities. Reduce risk, both from malicious intent and user errors by following the principle of least privilege i.e setting up roles for the lowest level of permissions first.
The Strapi RBAC is designed to be additive: if users have several role assignments, users’ permissions will be the union of the defined privileges. The practice can facilitate management and the update of roles. Overlapping roles should be considered only if the user is assigned to have several levels of permissions in the publishing process.
One of the benefits of the RBAC is to reduce administrative work. If you have many users in your organization, make sure that users can be grouped into specific roles with the same permissions to maximize efficiency.
The advanced RBAC included in Strapi Enterprise Edition allows the admin to set different permissions for each field in any content type for any Create, Read, Update or Delete operation. It is recommended to add the permission status in your workflow to define the permissions during the content type creation process.
This feature will be very helpful if you need to build a Strapi application to manage a network of franchises, a partner portal, or any distributed network and global communities composed of several subgroups or entities.
You can even go one step further by defining your own conditions of permissions and conditions handler for any users. For example, you can define a condition allowing access only to “invoices” where the amount is lower than $10K.
This level of granularity and flexibility is what makes Strapi RBAC system stand out from the competition.
Large companies often require these privileges to be managed from Single Sign-On (SSO) or Active directory that controls authorization to all accounts and applications from a single service. At the moment, the Strapi Enterprise plans offer an SSO authentication feature for the Strapi admin panel, which lets employees 3rd party authentication providers and protocols such as Active Directory, Okta, Auth0, Keycloak, OAuth, etc, to log in to the Strapi admin panel.
Learn more about Strapi Enterprise Editions
Pierre created Strapi with Aurélien and Jim back in 2015. He's a strong believer in open-source, remote and people-first organizations. You can also find him regularly windsurfing or mountain-biking!
Get all the latest Strapi updates, news and events.