WorkOS Docs Homepage
RBAC
API referenceDashboardSign In
OverviewOverviewConfigurationConfigurationIntegrationIntegrationOrganization RolesOrganization RolesIdP Role AssignmentIdP Role Assignment
API Reference
API Reference
Events
Events
Integrations
Integrations
Migrate to WorkOS
Migrate to WorkOS
SDKs
SDKs

Organization Roles

Create and manage custom organization-scoped roles

On this page

  • Overview
    • Creating organization roles
    • Organization role configuration
    • Using organization roles
    • Deleting an environment role

Overview

Organization roles are custom roles scoped to a particular organization. They are managed via the Roles tab under an organization in the WorkOS Dashboard. You can utilize organization roles regardless of whether you’re integrating with AuthKit, SSO, or Directory Sync.

Roles tab for organization

Why might I use organization roles?

In some cases, an application’s fixed set of roles may not meet the needs of certain organizations. For example, an organization may require a lesser privileged set of permissions for their members. Organization roles allow you to create custom roles, with the organization’s desired set of permissions, without affecting access control for other organizations.

Creating organization roles

By default, organizations have no custom organization roles and simply inherit the environment-level roles. You can create an organization role by clicking the “Create role” button on the organization’s Roles tab. All organization role slugs are automatically prefixed with org.

Create an organization role

Organization role configuration

Once you create the first role for an organization, that organization will have its own default role and priority order, independent from the environment.

New roles added to the environment will be available to the organization and placed at the bottom of the organization’s role priority order.

Using organization roles

Like environment-level roles, organization roles can be used in role assignment, sessions, and the organization membership API. No additional action is required to enable this behavior after creating organization roles.

Deleting an environment role

When attempting to delete an environment role that’s the default role for one or more organizations, you’ll be prompted to select a new default role for all affected organizations. Organization members previously assigned the deleted role will be assigned the new organization default role.

Select a replacement role
IdP Role AssignmentMap identity provider groups to roles to automatically assign roles to users
Up next
© WorkOS, Inc.
FeaturesAuthKitSingle Sign-OnDirectory SyncAdmin PortalFine-Grained Authorization
DevelopersDocumentationChangelogAPI Status
ResourcesBlogPodcastPricingSecuritySupport
CompanyAboutCustomersCareersLegalPrivacy
© WorkOS, Inc.