- Community EditionThe leading Open-Source Headless CMS
- Enterprise EditionA self-hosted and Enterprise-ready Edition
- MarketplaceA Marketplace of plugins to add features or integrations.
- RoadmapA fully managed platform for your Strapi apps
- DevelopersIntegrate Strapi with your favorite tools
- Content ManagersManage Content Autonomously
- Business teamsUnlock the benefit of structured content
- EcommerceLevel up your eCommerce experiences
- Corporate SiteManage your brand narrative
- Mobile applicationsOne CMS, any devices
- User storiesDiscover who use Strapi
- Strapi Community StarsMeet the Strapi experts and top contributors
- Write for the CommunityGet paid to share your technical expertise
- Strapi Community DiscordConnect with fellow community members
- EventsUpcoming and On-demand Events
- Meetup ProgramStrapi user groups to learn, share and collaborate
- StrapiConfLearn more about our annual user conference
- ForumDiscuss, ask questions and find answers
- BlogLatest Strapi news & updates
- TutorialsA collection of Strapi tutorials
- ShowcaseGet inspiration from Strapi references
Looking for our logo ?
- 4 minutes read
Reasons and Best Practices to Create Custom Roles
Strapi introduced the Role-Based Access Control feature, and with any Enterprise Edition plan, you can create unlimited custom roles. In this article, you will learn what custom roles are and what are the best practices for creating them.
- Share on facebook
- Share on linkedin
- Share on twitter
- Share by email
Get Started
Simply copy and paste the following command line in your terminal to create your first Strapi project.
npx create-strapi-app my-project
Smooth publishing with different roles and permissions. The Role-Based Access Control (RBAC) feature is designed to help maximize operational efficiency, reduce dev team support work, safeguard against unauthorized access or configuration modifications, and make it easier to meet publication deadlines. The practice of assigning each user the precise amount of privileges to perform their jobs and nothing more is one of the most fundamental security principles and allows contributions from external users.
So what is new for Role Based Access Control in Strapi Enterprise Edition?
Strapi EE RBAC introduces the possibility to create an unlimited number of custom roles, regardless of your plan. Companies can add a new role, edit, or delete an existing role for a series of specific actions (Create, Read, Update, Delete, Publish) for any operations (locales, plugins, etc) and down to the field level.
Custom Roles
Each organization has different requirements and operational processes. Oftentimes, the predefined 3 default build-in roles won’t be specific enough. They either grant too few or too many privileges that each user needs to undertake. To resolve this problem, Strapi Enterprise Edition allows you to create custom roles that give exactly the precise privileges based on your users’ responsibilities at a more fine-grained level.
How does RBAC work?
A role is a collection of permissions and operation actions that you can apply to users. Using roles makes it easier to add, remove, and adjust permissions rather than assigning permissions to users or user groups. As your user base increases in scale and complexity, roles become particularly useful.
Predefined Default Roles
Strapi Enterprise Edition supports the same predefined roles available in the Community Edition: SuperAdmin, Editor, and Author. They are the most commonly used roles in most organizations. The permissions of these roles have been predefined and can be directly assigned to individual users or user groups.
SuperAdmin roles will have all the privileges and permissions for the entire system. Editor roles will have the Create, Read, Update, Delete, and Publish privileges. Author roles will have the same privileges, but only on their own content.
Best Practices for creating custom roles
One of the main goals of RBAC is to only grant contributors the access they need to do their missions and prevent them from having irrelevant access. A well-designed RBAC system also simplifies and streamlines the administration of access.
The best practice to implement custom roles is to start by considering the roles for each contributor in the publishing process in your agency, company, or your client’s company. This way, you will mimic your organizational structure inside your Strapi Admin panel. You can then consolidate or break out roles as needed based on how people in different job functions are meant to use Strapi.
Enforce the lowest level of permissions first
The role that will be defined should be strictly based on each contributor’s responsibilities. Reduce risk, both from malicious intent and user errors by following the principle of least privilege i.e setting up roles for the lowest level of permissions first.
Overlapping roles
The Strapi RBAC is designed to be additive: if users have several role assignments, users’ permissions will be the union of the defined privileges. The practice can facilitate management and the update of roles. Overlapping roles should be considered only if the user is assigned to have several levels of permissions in the publishing process.
Grouping users into roles
One of the benefits of the RBAC is to reduce administrative work. If you have many users in your organization, make sure that users can be grouped into specific roles with the same permissions to maximize efficiency.
Add CRUD permissions for each field in your workflow
The advanced RBAC included in Strapi Enterprise Edition allows the admin to set different permissions for each field in any content type for any Create, Read, Update or Delete operation. It is recommended to add the permission status in your workflow to define the permissions during the content type creation process.
RBAC Use cases
This feature will be very helpful if you need to build a Strapi application to manage a network of franchises, a partner portal, or any distributed network and global communities composed of several subgroups or entities.
You can even go one step further by defining your own conditions of permissions and conditions handler for any users. For example, you can define a condition allowing access only to “invoices” where the amount is lower than $10K.
This level of granularity and flexibility is what makes Strapi RBAC system stand out from the competition.
RBAC and SSO
Large companies often require these privileges to be managed from Single Sign-On (SSO) or Active directory that controls authorization to all accounts and applications from a single service. At the moment, the Strapi Enterprise plans offer an SSO authentication feature for the Strapi admin panel, which lets employees 3rd party authentication providers and protocols such as Active Directory, Okta, Auth0, Keycloak, OAuth, etc, to log in to the Strapi admin panel.
Learn more about Strapi Enterprise Editions
- Request a free 14 day trial
- Contact Sales
- Find a Strapi Partner
Pierre created Strapi with Aurélien and Jim back in 2015. He's a strong believer in open-source, remote and people-first organizations. You can also find him regularly windsurfing or mountain-biking!
Join our Newsletter
Get all the latest Strapi updates, news and events.