Getting Started with Stytch RBAC

Before getting started with integrating RBAC with Stytch, go to the Stytch Dashboard Roles & Permissions section to enable some custom RBAC settings for your project.

1Create custom resources and actions

Navigate to "Resources" and "Create New Resource", where you will add a resource_id and actions. Resources represent entities within your application that a user might act upon, and Actions for a Resource are the valid operations for that Resource. Together these form a permission that a user would be authorized or not authorized to take.

RBAC Resources in Stytch Dashboard

For example, if your application has documents, you might create a ResourceID of document with create update delete and download as the Actions.

RBAC Resources in Stytch Dashboard

2Assign permissions to roles

After creating your custom Resource, you can navigate to the "Roles" tab. You will see two default Roles:

  • stytch_member: this Role is automatically assigned to all Members, and enables basic permissions that you'd want any Member of your application to have -- such as updating their own name.
  • stytch_admin: this Role is automatically assigned to the creating Member of the Organization but can also be assigned to other Members. By default this Role has permissions for any admin action within the Organization, such as inviting Members or updating Organization settings

You can edit the permissions associated with these Roles, and can also create your own custom Roles.

When you add permissions to a Role, you will select the Resource and then can explicitly assign a subset of permissions to that Role. For example, you might give the stytch_member Role permission to take the create and update Actions on document Resources but not allow download or delete Actions.

RBAC Grant Subset of Permissions

You can also grant the Role the "wildcard" Action, which allows Members with that Role to take any defined Action on the Resource. This is helpful for situations where the Role should always have complete control over the Resource, even as new permissions are added.

RBAC Wildcard Actions Grant

3Implement backend RBAC checks

Even if you are leveraging Stytch's frontend SDKs, it is critical that you add server-side authentication and authorization checks before honoring requests from your client.

Read the backend integration quickstart to learn how to properly authorize requests on your backend.

4Add frontend RBAC handling

If you are using Stytch's frontend SDKs, follow the headless frontend integration quickstart to leverage Stytch's RBAC product client-side.