Role assignment

Stytch's RBAC framework uses Role assignment to delegate access controls. Rather than granting permissions one by one, Members are assigned Roles that grant them sets of permissions.

Stytch's RBAC model supports two different programmatic mechanisms for Role assignment.

1. Explicit assignment
2. Implicit assignment

Explicit assignment

Explicit role assignment is when you directly assign (or revoke) a Role to a specific Member object with an API call. Once assigned, the Member has that Role unconditionally until it is explicitly revoked. Explicit assignment is a singular operation between a specific Role and an individual Member.

The following API endpoints support explicit Role assignment.

• Create Member
• Update Member
• Send email invite
• Password Migrate

Alternatively, you can also explicitly assign or remove Roles in the Dashboard.

Implicit assignment

Stytch also supports the implicit assignment of Roles. Members can automatically be designated Roles by meeting certain criteria or possessing certain attributes. For example, your Organization's settings can be configured so that all Members with a stytch.com email domain are assigned the Role of developer upon account creation.

Implicit assignment can be thought of as a mechanism to define rules for automatically assigning Roles to multiple Members.

Stytch offers three ways to implement implicit role assignment:

1. By email domain: everyone with the stytch.com email domain gets the “developer” Role.
2. By SSO Connection: everyone who authenticates via a specific SSO Connection gets the “employee” Role.
3. By SSO Connection IdP Group: everyone who authenticates via a specific SSO Connection and is a part of the “engineering” IdP group gets the “developer” Role.

Take a look at this example of how implicitly assigning roles by email domain would be codified in the Organization object.

{
    "organization_id": "my-org-id-123",
    "email_allowed_domains": ["stytch.com", "stytch.io", "customer.com"],
    "rbac_email_implicit_role_assignments": [
        {"domain": "stytch.com", "role_id": "contributor"},
        {"domain": "customer.com", "role_id": "reader"},
    ]
}

In effect, the "reader" Role would automatically be assigned to all Members with a customer.com email, and the "contributor" Role to those with a stytch.com email. Roles are assigned without performing direct operations on any of the affected Member objects.

Implicit role assignments are only valid so long as the granting condition is still true. This verification happens on every authentication call to Stytch.

Consider this scenario. A Member was granted the “admin” Role via their IdP group membership. But the next time they authenticate, they discover that their IdP group membership has been revoked. The Member would lose the "admin" role.

The following API endpoints will support implicit Role assignment:

• Create Organization
• Update Organization
• Update SAML Connection
• Create Organization via Discovery

Explicit role assignments are not impacted by implicit role assignments.

Search for Members by Role

Whether assigned implicitly or explicitly, all Roles will be stored on the Member object's roles field for you to review. Stytch also enables you to conveniently search for Members by Role with the Search Members endpoint.

What's next

Learn about authorization checks and how permissions are enforced with Stytch API calls.

Contact us for more details on our upcoming RBAC release.