Skip to main content
When a is assigned a role, they are granted permission to perform actions on the resources that the role allows. Roles are additive, so Members are granted the cumulative permissions of all roles they are assigned. Roles can be assigned to Members either explicitly by direct assignment or implicitly by matching attributes or conditions.

Explicit assignment

Explicit role assignment is when you directly assign a role to (or revoke from) a specific Member. Once assigned, the Member has that Role unconditionally until it is explicitly revoked. You can assign roles when making calls to the following API endpoints: or manually in the Stytch Dashboard.

Implicit assignment

Implicit role assignment is when a Member is automatically assigned a Role by meeting certain criteria or possessing certain attributes, designated by their . For example, a Organization can be configured so that all Members with a stytch.com email domain are assigned the Role of developer upon account creation. Implicit assignment can be thought of as a mechanism to define rules for automatically assigning Roles to Members. Stytch offers three ways to assign roles implicitly:
  • By email domain: everyone with the @example.com email domain gets the developer Role.
  • By SSO Connection: everyone who authenticates via a specific SSO Connection gets the employee Role.
  • By SSO Connection IdP Group: everyone who authenticates via a specific SSO Connection and is a part of the engineering IdP group gets the developer Role.
Stytch currently only supports SSO connection implicit role assignments for SAML connections, not OIDC connections. Please contact us if you would like to use this functionality for OIDC connections.
Implicit roles assignments will be revoked when the condition for the assignment is no longer met. In the example above,if the Member’s email domain is changed to @not-example.com, they will no longer be assigned the developer Role.

Email domain role assignments

Create and update email domain implicit role assignment rules using the rbac_email_implicit_role_assignments argument when making calls to the following API endpoints: or manually in the Stytch Dashboard.

SSO Connection role assignments

Read on to learn more about managing SSO Connection implicit role assignments with SAML:

Learn more about SAML role assignments