> ## Documentation Index
> Fetch the complete documentation index at: https://stytch.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# RBAC overview

> Control access to resources using role-based permissions.

Role-Based Access Control (RBAC) lets you define fine-grained permissions for members based on their roles. An RBAC policy is composed of roles, resources, and actions, defining who can do what within your application.

## Using RBAC

<Steps>
  <Step title="Get your RBAC policy">
    Fetch your current RBAC policy using the [Get Policy](/api-reference/b2b/api/rbac/get-policy) endpoint:

    ```bash theme={null}
    curl --request GET \
      --url https://test.stytch.com/v1/b2b/rbac/policy \
      --user 'PROJECT_ID:SECRET'
    ```

    **Response:**

    ```json theme={null}
    {
      "status_code": 200,
      "policy": {
        "roles": [
          {
            "role_id": "stytch_admin",
            "description": "Full access to all organization resources",
            "permissions": [
              {
                "resource_id": "documents",
                "actions": ["read", "write", "delete"]
              }
            ]
          }
        ],
        "resources": [
          {
            "resource_id": "documents",
            "description": "Organization documents",
            "actions": ["read", "write", "delete"]
          }
        ]
      }
    }
    ```

    See [Create RBAC Policy](/multi-tenant-auth/enterprise-ready/rbac/create-rbac-policy) to set up your policy in the Dashboard.
  </Step>

  <Step title="Assign roles to members">
    Assign roles when creating or updating members:

    ```bash theme={null}
    curl --request PUT \
      --url https://test.stytch.com/v1/b2b/organizations/organization-test-.../members/member-test-... \
      --header 'Content-Type: application/json' \
      --user 'PROJECT_ID:SECRET' \
      --data '{
        "roles": ["stytch_admin", "editor"]
      }'
    ```

    Members can have multiple roles, and their permissions are the union of all role permissions.
  </Step>

  <Step title="Check permissions">
    Enforce permissions by passing the member's session token to API endpoints:

    ```bash theme={null}
    curl --request DELETE \
      --url https://test.stytch.com/v1/b2b/organizations/organization-test-.../members/member-test-... \
      --header 'X-Stytch-Member-Session: <session_token>' \
      --user 'PROJECT_ID:SECRET'
    ```

    Stytch automatically verifies the member has the required permissions before processing the request. If unauthorized, the request returns a `403` error.

    For custom resources, use [Authenticate Session](/api-reference/b2b/api/sessions/authenticate-session) with the `authorization_check` parameter:

    ```bash theme={null}
    curl --request POST \
      --url https://test.stytch.com/v1/b2b/sessions/authenticate \
      --header 'Content-Type: application/json' \
      --user 'PROJECT_ID:SECRET' \
      --data '{
        "session_token": "<session_token>",
        "authorization_check": {
          "organization_id": "organization-test-...",
          "resource_id": "documents",
          "action": "write"
        }
      }'
    ```
  </Step>
</Steps>

## RBAC policy structure

An RBAC policy consists of three components:

* **Roles** - Named collections of permissions (e.g., `admin`, `editor`, `viewer`)
* **Resources** - Objects members can access (e.g., `documents`, `settings`, `reports`). Stytch provides [default resources](/multi-tenant-auth/enterprise-ready/rbac/create-rbac-policy#default-roles-and-resources) like `stytch.organization` and `stytch.member`.
* **Actions** - Operations members can perform on resources (e.g., `read`, `write`, `delete`)

## Learn more

<CardGroup cols={2}>
  <Card title="Create RBAC policy" icon="shield" href="/multi-tenant-auth/enterprise-ready/rbac/create-rbac-policy">
    Set up roles and permissions in the Dashboard
  </Card>

  <Card title="Default roles and resources" icon="list" href="/multi-tenant-auth/enterprise-ready/rbac/create-rbac-policy#default-roles-and-resources">
    View Stytch's built-in RBAC configuration
  </Card>

  <Card title="Enforcing permissions" icon="lock" href="/multi-tenant-auth/enterprise-ready/rbac/enforcing-permissions">
    Backend and frontend authorization checks
  </Card>

  <Card title="Role object" icon="braces" href="/api-reference/b2b/api/rbac/role-object">
    Role object reference
  </Card>
</CardGroup>
