Roles
Create and manage roles to organize user permissions within your application.
Overview
Roles provide a way to group permissions and assign them to users. Create app-level roles to control what users can do within your application, separate from site-level roles.
Concepts
Role
A named collection of permissions that can be assigned to users. Roles simplify access management by allowing you to assign permissions once to a role, then assign users to that role.
App Role
A role scoped to a specific application. App roles are used in policy conditions to determine access to app resources.
Site Role
A role scoped to the entire site. Site roles are managed in Site Settings and provide broader permissions.
View Roles
- Navigate to your App in the Dashboard.
- Click Roles in the sidebar.
- View all app roles with:
- Role Name: Display name
- Slug: Unique identifier
- Users: Number of assigned users
Create a Role
- Navigate to Roles in your app.
- Click Create Role.
- Fill in the role details:
- Name: Descriptive role name (e.g., "Editor", "Viewer")
- Slug: URL identifier (auto-generated)
- Description: Purpose of the role
- Click Create.
Use descriptive names that indicate what the role allows users to do. This makes it easier to manage permissions as your app grows.
View Role Details
- Click on a role in the list.
- View the role detail panel:
- Role Information: Name, slug, description
- Assigned Users: Users with this role
- Created/Updated: Timestamps
Assign Users to a Role
- Navigate to Roles in your app.
- Click on the role.
- Click Add User or Assign User.
- Search for and select users.
- Click Assign.
Bulk Assignment
- Select multiple users in the user list.
- Click Assign to Role.
- Select the role.
- Click Assign.
Remove Users from a Role
- Navigate to the role detail view.
- Find the user in the assigned users list.
- Click Remove on the user row.
- Confirm removal.
Edit a Role
- Navigate to Roles in your app.
- Click the Edit icon on the role.
- Update role details.
- Click Save.
Changing a role's slug may affect policy conditions that reference it.
Delete a Role
- Navigate to Roles in your app.
- Click the Delete (trash) icon on the role.
- Confirm deletion.
Deleting a role removes all user assignments. Users will lose permissions associated with this role.
Using Roles in Policies
Reference roles in your policy conditions:
resourcePolicy:
resource: document
version: default
rules:
- actions:
- read
- write
effect: EFFECT_ALLOW
roles:
- editor # Your app role
- actions:
- read
effect: EFFECT_ALLOW
roles:
- viewer # Another app role
Org Chart View
Visualize role hierarchy:
- Navigate to Roles in your app.
- Click Org Chart view.
- See roles and their relationships.
- Expand nodes to see assigned users.
Configuration
Role Fields
| Field | Description | Required |
|---|---|---|
| Name | Display name | Yes |
| Slug | Unique identifier | Auto-generated |
| Description | Purpose of role | No |
Best Practices
- Create specific roles: Better to have many focused roles than few broad ones
- Use clear naming: "document_editor" is clearer than "user_level_2"
- Document role purposes: Use the description field to explain what each role does
- Review regularly: Periodically audit role assignments
- Principle of least privilege: Only grant the permissions users need
Limits
| Resource | Limit |
|---|---|
| Roles per app | 50 |
| Users per role | Unlimited |
| Roles per user | Unlimited |
Need higher limits? Contact support to discuss your requirements.
Troubleshooting
User doesn't have expected access
Problem: A user with a role isn't getting the expected permissions.
Solution:
- Verify the user is actually assigned to the role.
- Check the policy conditions reference the correct role slug.
- Test the policy using the Test tab in the policy editor.
Cannot delete role with users
Problem: Role deletion fails because users are assigned.
Solution:
- Remove all users from the role first.
- Or use force delete if available.
Role slug conflicts
Problem: Cannot create a role because the slug already exists.
Solution:
- Use a different name for the role.
- Or modify the auto-generated slug.
Related
Last Updated: January 2025