> ## Documentation Index
> Fetch the complete documentation index at: https://stytch.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Assigning Roles to Members

> Assign roles to your Members to grant them access to resources in your application

export const organization = "Represents an instance or tenant in your application, typically mapping to each of your top-level customers.";

export const member = "Represents an individual end user's account within a given Organization, uniquely identified within that Organization by their email address.";

When a <Tooltip tip={member}>Member</Tooltip> is assigned a role, they are granted permission to perform actions on the resources that the role allows.  Roles are additive, so Members are granted the cumulative permissions of all roles they are assigned.

Roles can be assigned to Members either **explicitly** by direct assignment or **implicitly** by matching attributes or conditions.

## Explicit assignment

**Explicit role assignment** is when you directly assign a role to (or revoke from) a specific Member. Once assigned, the Member has that Role unconditionally until it is explicitly revoked.

You can assign roles when making calls to the following API endpoints:

* [Create Member](/api-reference/b2b/api/members/create-member)
* [Update Member](/api-reference/b2b/api/members/update-member)
* [Send Email Invite](/api-reference/b2b/api/email-magic-links/organization/send-invite-email)
* [Password Migrate](/api-reference/b2b/api/passwords/migrate)

or manually in the [Stytch Dashboard](https://stytch.com/dashboard/members).

## Implicit assignment

**Implicit role assignment** is when a Member is automatically assigned a Role by meeting certain criteria or possessing certain attributes, designated by their <Tooltip tip={organization}>Organization</Tooltip>. For example, a Organization can be configured so that all Members with a `stytch.com` email domain are assigned the Role of `developer` upon account creation.

Implicit assignment can be thought of as a mechanism to define rules for automatically assigning Roles to Members.

Stytch offers three ways to assign roles implicitly:

* By email domain: everyone with the `@example.com` email domain gets the `developer` Role.
* By SSO Connection: everyone who authenticates via a specific SSO Connection gets the `employee` Role.
* By SSO Connection IdP Group: everyone who authenticates via a specific SSO Connection *and* is a part of the `engineering` IdP group gets the `developer` Role.

<Note>
  Stytch currently only supports SSO connection implicit role assignments for SAML connections, not OIDC connections. Please [contact us](https://stytch.com/contact) if you would like to use this functionality for OIDC connections.
</Note>

Implicit roles assignments will be revoked when the condition for the assignment is no longer met. In the example above,if the Member's email domain is changed to `@not-example.com`, they will no longer be assigned the `developer` Role.

### Email domain role assignments

Create and update email domain implicit role assignment rules using the `rbac_email_implicit_role_assignments` argument when making calls to the following API endpoints:

* [Create Organization](/api-reference/b2b/api/organizations/create-organization)
* [Update Organization](/api-reference/b2b/api/organizations/update-organization)
* [Create Organization via Discovery](/api-reference/b2b/api/discovery/create-organization-via-discovery)

or manually in the [Stytch Dashboard](https://stytch.com/dashboard/members).

### SSO Connection role assignments

Read on to learn more about managing SSO Connection implicit role assignments with SAML:

<Card href="/multi-tenant-auth/enterprise-ready/rbac/saml" title="Learn more about SAML role assignments" icon="user-lock" arrow={true} horizontal />