Manage and assign roles to users.
A role represents a logical grouping of permissions, defining access control levels for users within your application. Roles are identified by a unique, immutable slug and are assigned to users through organization memberships.
Role configuration occurs at the environment level. Each environment is seeded with a default member
role, which is automatically assigned to every organization member. This default role cannot be deleted, but any role can be set as the default.
If you need to set default roles or other role configurations at the organization level, please contact us.
Organization memberships require a role. Every user with an organization membership is automatically assigned the default role when added to an organization. This role can be edited.
You can retrieve the role slug from the user's organization membership object to determine their access level and capabilities within your application.
When roles are deleted, all organization memberships are reassigned to the default role. Role deletion happens asynchronously, so there may be a slight delay between deleting a role and updating all organization memberships.
To migrate from one default role to another, set the new default role and delete the old one. All users will then be reassigned to the new default role.
When a user signs into your app, a user session is initiated. The authentication response includes an access token, a JSON Web Token (JWT), with the "role" claim indicating the organization membership's role for that session.