API Reference
Use the RBAC API to check permissions on your backend.
Frontend SDKs
Use the RBAC SDKs to gate UI based on permissions.
RBAC Dashboard
Manage your RBAC policy in the Stytch Dashboard.
The RBAC Policy
An RBAC policy is a governing document that stores all access controls. It is the canonical source for all RBAC authorizations within a Stytch Project, made up of three core concepts:- Resources: an abstract entity that your application interacts with
- Examples:
documents,images,users
- Examples:
- Actions: the specific operations that can be performed on a resource
- Examples:
create,read,update,delete
- Examples:
- Roles: a named collection of permissions that can be assigned to a member
- Examples:
admin,editor,viewer
- Examples:
Resources
A Resource represents an entity that your application interacts with. It is identified byresource_id, a unique, user-inputted string that allows you to freely name a Resource after almost anything.
Typically, Resources are modeled after data objects your users of your application create or manage. Such as documents, images, invoices, products, employees, or credit-cards.
Actions
Resources are associated with a specific list of Actions that can be performed on them. Typically, these actions are standard CRUD operations likecreate, read, update, and delete. However, you can also define more application-specific actions like share, invite, block, and export.
Permissions
A permission is a combination of a Resource and an Action. For example, the permission toread a document or to create an employee.
Roles
A Role is a named collection of permissions. It is identified byrole_id, a unique, user-inputted string that allows you to name a Role after the persona it represents.
For example, you might create an admin role with the following permissions:
read: employeescreate: employeesupdate: employeesdelete: employees
* wildcard to grant a Role permission to use all possible actions related to a Resource.)
And a viewer role with the following permissions:
create: employeesread: employees
Putting it all together
Create as many Resources, Actions, and Roles as your application needs. The more granular you can make your permissions, the more control you have over who can do what in your application. To get started:- Configure your RBAC policy in the Stytch Dashboard or using the Programmatic Workspace Actions API.
- Grant permissions by assigning Roles to Members
- Use your RBAC policy to gate access in your application.
Default Roles and Resources
Default Resources
Within your RBAC Policies, you’ll find the following five default Resources, prefixed withstytch., that represent core entities in a Stytch Project:
stytch.self: access controls for the logged-in user’s Member.stytch.organization: access controls for the Organization.stytch.member: access controls for all Members in the Organization.stytch.sso: access controls for SSO Connections.stytch.scim: access controls for SCIM Connections.
Default Roles
To manage the default Resources, Stytch provides two default Roles for your convenience:stytch_member: the base Role that’s automatically assigned to all Members. By default, it contains allstytch.selfpermissions, enabling permissions like updating your own name. It is automatically assigned to all Members, and cannot be removed.stytch_admin: a Role that’s automatically assigned to the Member that creates a new Organization. By default, it includes all permissions for thestytch.organization,stytch.member, andstytch.ssoresources.
enterprise_admin role as the only role that can manage SSO connections, you could remove the stytch.sso permissions from the stytch_admin Role.