✨ Strapi MCP is now Generally Available - let your agents manage your Strapi content ✨

Reasons and Best Practices to Create Custom Roles

November 2, 2020Updated on May 22, 2026

Smooth publishing with different roles and permissions. The Role-Based Access Control (RBAC) feature is designed to help maximize operational efficiency, reduce dev team support work, safeguard against unauthorized access or configuration modifications, and make it easier to meet publication deadlines. The practice of assigning each user the precise amount of privileges to perform their jobs and nothing more is one of the most fundamental security principles and allows contributions from external users.

So what is new for Role Based Access Control in Strapi Enterprise Edition?

Strapi EE RBAC introduces the possibility to create an unlimited number of custom roles, regardless of your plan. Companies can add a new role, edit, or delete an existing role for a series of specific actions (Create, Read, Update, Delete, Publish) for any operations (locales, plugins, etc) and down to the field level.

Custom Roles

Screenshot 2022-10-24 at 9.55.21 PM.png

Each organization has different requirements and operational processes. Oftentimes, the predefined 3 default build-in roles won’t be specific enough. They either grant too few or too many privileges that each user needs to undertake. To resolve this problem, Strapi Enterprise Edition allows you to create custom roles that give exactly the precise privileges based on your users’ responsibilities at a more fine-grained level.

How does RBAC work?

A role is a collection of permissions and operation actions that you can apply to users. Using roles makes it easier to add, remove, and adjust permissions rather than assigning permissions to users or user groups. As your user base increases in scale and complexity, roles become particularly useful.

Screenshot 2022-10-24 at 9.55.21 PM.png

Predefined Default Roles

Strapi Enterprise Edition supports the same predefined roles available in the Community Edition: SuperAdmin, Editor, and Author. They are the most commonly used roles in most organizations. The permissions of these roles have been predefined and can be directly assigned to individual users or user groups.

Screenshot 2022-10-24 at 9.51.19 PM.png

SuperAdmin roles will have all the privileges and permissions for the entire system. Editor roles will have the Create, Read, Update, Delete, and Publish privileges. Author roles will have the same privileges, but only on their own content.

Best Practices for creating custom roles

One of the main goals of RBAC is to only grant contributors the access they need to do their missions and prevent them from having irrelevant access. A well-designed RBAC system also simplifies and streamlines the administration of access.

The best practice to implement custom roles is to start by considering the roles for each contributor in the publishing process in your agency, company, or your client’s company. This way, you will mimic your organizational structure inside your Strapi Admin panel. You can then consolidate or break out roles as needed based on how people in different job functions are meant to use Strapi.

Enforce the lowest level of permissions first

The role that will be defined should be strictly based on each contributor’s responsibilities. Reduce risk, both from malicious intent and user errors by following the principle of least privilege i.e setting up roles for the lowest level of permissions first.

Overlapping roles

The Strapi RBAC is designed to be additive: if users have several role assignments, users’ permissions will be the union of the defined privileges. The practice can facilitate management and the update of roles. Overlapping roles should be considered only if the user is assigned to have several levels of permissions in the publishing process.

Grouping users into roles

One of the benefits of the RBAC is to reduce administrative work. If you have many users in your organization, make sure that users can be grouped into specific roles with the same permissions to maximize efficiency.

Add CRUD permissions for each field in your workflow

The advanced RBAC included in Strapi Enterprise Edition allows the admin to set different permissions for each field in any content type for any Create, Read, Update or Delete operation. It is recommended to add the permission status in your workflow to define the permissions during the content type creation process.

RBAC Use cases

This feature will be very helpful if you need to build a Strapi application to manage a network of franchises, a partner portal, or any distributed network and global communities composed of several subgroups or entities.

You can even go one step further by defining your own conditions of permissions and conditions handler for any users. For example, you can define a condition allowing access only to “invoices” where the amount is lower than $10K.

This level of granularity and flexibility is what makes Strapi RBAC system stand out from the competition.

RBAC and SSO

Large companies often require these privileges to be managed from Single Sign-On (SSO) or Active directory that controls authorization to all accounts and applications from a single service. At the moment, the Strapi Enterprise plans offer an SSO authentication feature for the Strapi admin panel, which lets employees 3rd party authentication providers and protocols such as Active Directory, Okta, Auth0, Keycloak, OAuth, etc, to log in to the Strapi admin panel.

Learn more about Strapi Enterprise Editions

Pierre BurgyChief Executive Officer

Pierre created Strapi with Aurélien and Jim back in 2015. He's a strong believer in open-source, remote and people-first organizations. You can also find him regularly windsurfing or mountain-biking!

Join our Newsletter

Get all the latest news and events.

Newsletter signup is not configured yet.

User roles & permissions·12 min read

Strapi’s User Roles and Permissions for Admin Panel

User management in software development is an essential factor in cybersecurity. In the wave of growing cybercrimes,...

·June 27, 2022
User roles & permissions·14 min read

Strapi’s User Roles and Permissions for Admin Panel

This article is a guest post by . She wrote this blog post through the program. User management in software...

·May 12, 2021
User roles & permissions·7 min read

Announcing Strapi 3.1 - Administrator Roles & Permissions

RoleBased Access Control (RBAC) is a wellknown feature to anyone working with Content Management Systems (CMS) or any...

·July 23, 2020