What are permissions in Frontegg?
Permissions are essential for controlling user access to information and functionality in your application.
Permissions represent the ability to perform actions in your app— e.g., deleting users or editing a profile page. Permissions are strongly linked to roles, since roles are defined by their sub-set of user permissions. When your users are granted one or more roles, that defines the scope of what they can do in your app, i.e., their permissions.
To get you up and running quickly, Frontegg already comes with a collection of default permissions linked to existing features already available in your portal. Additionally, you can set Custom Permissions instead or in addition to your preset Frontegg Permissions. Read on to learn how.
Permissions in the self-service portal
Permissions in the self-service portal
Note that you need to enable (toggle-on) the Admin Portal areas you want your users to be able to see. Otherwise, giving them permissions or roles will have no effect if those areas are not visible.
Creating and granting permissions
As mentioned above, enabling the visibility of specific self-service portal areas is essential for users to see these tabs, let alone access or view the information within. The first step before granting users permissions is, therefore, to toggle on the different areas you want them to see, like the Privacy & Security tab in the following example:
Where to manage permissions for your app
Permissions exist per environment. The permissions tab is located at [ENVIRONMENT] → Configurations → Entitlements → Permissions.
Frontegg permissions and default settings
Frontegg's set of permissions provides you and your customers the granularity to select which users can do what from within your admin box.
Examples include permissions to Give access to sub accounts, Edit group roles, Delegation, etc.
Permissions define the scope of actions your users can perform in your app's self-service portal. Frontegg's Permissions' list is fixed and cannot be edited or deleted. All Frontegg permissions begin with an fe prefix (such as fe.connectivity.read.eventCategories).
You can assign permissions to users to define their access and scope of actions they can perform in the self-service portal (read, write, etc.). See the table below for a quick reference on which permission controls what tab (note that the following refers to read permissions; there are write and delete permissions as well (for example, fe.secure.read.users also has fe.secure.write.users and fe.secure.delete.users)). You can always use the search bar to see all available permissions under each category.
| Category | Permission | Key | Location in Portal |
|---|---|---|---|
| Security Policies | Read* securityPolicies | fe.secure.read.securityPolicy | Privacy & Security |
| Audits | Read* audits | fe.secure.read.audits | Audit logs |
| API Tokens | Read* tenant API tokens | fe.secure.read.tenantApiTokens | API tokens |
| API Tokens | Read* user API tokens | fe.secure.read.userApiTokens | Personal tokens |
| User Management | Read* users | fe.secure.read.users | Users |
| Account Settings | Read* securityPolicies | fe.secure.read.accountSettings | Account details |
| Webhook Integration | Read* webhooks | fe.connectivity.read.webhooks | Webhooks |
| SAML | Read* SAML configuration | fe.secure.read.samlConfiguration | fe.secure.read.audits |
Note that you can switch read with write or delete to get the corresponding permissions— fe.secure.write.users and fe.secure.delete.users.
Wildcard and global permissions
In addition to individual permissions, you can add global permissions to users. Use the * in the search bar to see all permissions supported for this functionality. When granting a user with an fe.secure.read.* permission, you are granting the user with global read permissions (in comparison tofe.secure.read.samlDefaultRoles which grants a much more granular capability). fe.secure.* permission, for example, will grant users complete read and write permissions.
Permission properties
Each permission has the following properties:
- Name: The permission's name.
- Description: The description is intended to help you and your teammates understand the permission internally.
- Category: ategories serve as simple holding folders for a group of related permissions. This is true of both Frontegg Permissions and Custom Permissions. Each Frontegg Permission is already assigned to a category and cannot be reassigned to a different one. For each Custom Permission, you must assign it to a category, and you can edit which category it belongs to. Although organized in categories, each permission must be edited individually.
- Key: An internal identifier that must be unique. As a best practice, a permissions key should include the name of the resource and the action it is protecting. For example, If I want to protect SAML configuration with permissions, I would add three permissions with different actions:
fe.secure.delete.samlConfigurationfe.secure.read.samlConfigurationfe.secure.write.samlConfiguration - ID: Each permission has a unique ID generated automatically upon creation.
Permissions table and actions
In the permissions dashboard, you can view all supported permissions, search for specific ones and assign them roles.
Search bar - gives you the option to search for a specific permission
Filters - you can filter permissions by category and the creator (you or Frontegg)
Assign Roles - Assign roles to permissions. When roles are assigned to permissions, the permissions become part of the Roles' subset features— I.e., every user assigned with that specific role will be entitled to perform its subset set of permissions.
Delete a permission - use the three dots on the right side of each permission to delete it.
Creating and editing permissions
You can create a new permission by clicking the "Add New Permission" button.
The Settings tab will include the following fields:
| Field | Description |
|---|---|
| Name (required) | Add a descriptive name for your permission |
| Description | We advise you to add a description that will help you and other teammates manage the permissions. |
| Category (required) | Choose a category from the category list. You can assign an existing category, or create a new one. |
| Key (required) | add a unique key, which will be used to identify the permission and will be added to your code. |
To add new permission, press the Add new permission button, and fill in the Name, Category, and Key fields. The Key field is the unique identifier stored in the user JWT.
Permissions dependency
Permissions dependency
Note that permissions can be created without any role attached— Roles can be added later on.
Permissions via APIs
You can perform multiple actions relating to permissions via API. Explore the collection here.