WorkOS Docs Homepage
RBAC
API referenceDashboardSign In
OverviewOverviewConfigurationConfigurationIntegrationIntegrationOrganization RolesOrganization RolesIdP Role AssignmentIdP Role Assignment
API Reference
API Reference
Events
Events
Integrations
Integrations
Migrate to WorkOS
Migrate to WorkOS
SDKs
SDKs

Configuration

Configure roles and permissions

On this page

  • Overview
  • Configure roles
    • Default role
    • Priority order
    • Delete roles
  • Configure permissions
    • Create permissions
    • Assign permissions to roles

Overview

A role represents a logical grouping of permissions, defining access control levels for users within your application. Roles are identified by unique, immutable slugs and are assigned to users through organization memberships, SSO profiles, and directory users.

Permissions grant users privileged access to resources and actions in your application and are referenced in your code by unique, immutable slugs. A permission can be assigned to any number of roles.

Role and permission configuration is relevant for all integrations.

Configure roles

Roles alone can be sufficient when your application only requires very coarse-grained access control. This is suitable if users only need to be separated into broad categories and there is minimal overlap between roles. Simple roles can be easier to manage, but are less flexible for complex access control scenarios.

Roles section WorkOS Dashboard

You can manage roles in the Roles & Permissions section of the WorkOS Dashboard.

Role slugs are immutable and cannot be changed after creation. Environment role slugs are unique within an environment. Organization role slugs are unique within an organization.

Default role

Role configuration occurs at the environment level. Each environment is seeded with a default member role, which is automatically assigned to every organization member. This default role cannot be deleted, but any role can be set as the default.

If you need to set default roles or other role configurations at the organization level, refer to the Organization roles section.

Priority order

Role priority order is used for Identity Provider (IdP) role assignment and determines which role is assigned when a user is a member of multiple groups that contain conflicting role mappings. For example, there might be a case where an employee Jane is an Engineering Manager and belongs to the “Engineering”, “Manager”, and “Admin” groups. In that scenario, the role with the highest priority will be assigned.

Delete roles

When roles are deleted, all affected organization memberships, SSO profiles, and directory users are reassigned to the default role. Role deletion happens asynchronously, so there may be a slight delay between deleting a role and updating affected role assignments.

To migrate from one default role to another, set the new default role and delete the old one. All users will then be reassigned to the new default role.

Configure permissions

Permissions allow for more detailed and flexible management of access. They are particularly useful when:

  • You anticipate the need to frequently modify access rights or introduce new roles.
  • There is significant overlap in access rights between different roles, but with some variations.
  • You want to minimize code changes when modifying access rights. By abstracting access control checks to permissions, you can add or modify roles and their access rights without changing the application code.

Create permissions

You can manage permissions in the Roles & Permissions section of the WorkOS Dashboard.

When configuring permissions, we recommend:

  • Defining a common naming scheme to use across all permissions for your application. Consider separating the resource and action with a delimiter, such as users:view. The following delimiters are permitted: -.:_*.
  • Keep permission slugs clear and concise. When assigned to roles, these slugs will included as part of session cookies in the session JWT claims, which is limited to a maximum size of 4KB in many modern web browsers.

Assign permissions to roles

Permissions can be assigned when creating a new role or when editing an existing role.

Assign permissions to a role
Integrating Role-Based Access ControlUtilize Role-Based Access Control across WorkOS products
Up next
© WorkOS, Inc.
FeaturesAuthKitSingle Sign-OnDirectory SyncAdmin PortalFine-Grained Authorization
DevelopersDocumentationChangelogAPI Status
ResourcesBlogPodcastPricingSecuritySupport
CompanyAboutCustomersCareersLegalPrivacy
© WorkOS, Inc.