What are Roles?
Frontegg's role-based authorization, grounded in Role-Based Access Control (RBAC), simplifies the process of managing user access. In Frontegg, user access to information and user's ability to perform actions within your application are determined by their roles. Users can have one or more roles, and each role can have a subset of permissions associated with it. Each permission grants the ability to perform certain actions within your application.
Designing roles in Frontegg is both intuitive and straightforward. We do offer several unique features, which we will expand on below.
Getting started with roles
Before getting started, make sure to enable the roles and permission option under the [ENVIRONMENT] → Configurations → Entitlements → Roles → Settings → Role-based authorization.
Roles in Frontegg exist per environment [ENVIRONMENT] → Configurations → Entitlements → Roles and are linked to Permissions.
By default, we've configured two preset roles in your portal— Admin and Read Only roles. You can choose to use, edit, or delete them.
The roles tab is the main place where you can add, view, edit or delete roles (use the three dots on the right side of each role line to delete a role). This tab showcases all roles created by either Frontegg (i.e., Admin and Read only roles) or by you (i.e., custom roles).
- Search bar- gives you the option to search for a specific role
- Filters - you can filter roles by levels
Assigning roles to users
You can set roles and assign them to users. This action can happen in two different way— you can set them up as the vendor (management) or you can enable your customers to configure roles by themselves (self-service). Both instances can also be performed via API (see last section of this guide).
Management role assignment
You can set a role for users via the management section in the portal. Simply go to [ENVIRONMENT] → Management → Users, and choose the roles you wish to allocate to the new user you create, like so:
Self-service role assignment
Assigning roles can also be done by your customers independently (self-service). To do so, press the name icon → Administraion → Users → Invite user.
Roles can also be edited for exsiting users, like so:
Creating a new role
Let's breakdown the process of creating a new role. To create a new role, click the "Add new role" button.
When creating a new role, note that you have a Key and Level fields. The Key field represents the identifying key that will be stored in the user's JWT and will be associated with the role if you wish to use it as an attribute, possibly for Feature Flagging. The Level field will indicate the level of this role and will allow the person holding it to invite or assign roles only to users with an equal or greater level than theirs (see chart below for more information on role levels).
Default role
Default role
Make sure you have at least one role you include as "Default". This role will be added to a user when signing up.
Role properties
| Property | Description |
|---|---|
| Name | This property will be presented to all users when inviting others in the Frontegg portal within the Backoffice or when adding users to accounts in your app. Try to make it descriptive. |
| Description | The description is intended to help you and your teammates understand the role internally. |
| Key | An internal identifier that must be unique. As mentioned above, the JWT includes a ‘roles’ array, that contains the role keys associated with that user. |
| Level | Role level refers to its position in the hierarchy. Lower-numbered role levels have precedence and usually have more permissions and access than higher-numbered role levels (e.g., level 0 roles are stronger in the hierarchy than level 1 roles). Users can only assign roles to users with levels higher or equal to theirs. |
| Permissions list | An individual permission allows someone to perform a specific task, such as uploading a video or editing a profile. Essentially, each role contains a set of permissions assigned to it. |
| Assigned accounts | The role can be assigned to a specific account or all accounts in the environment. |
| ID | Each role has a unique ID that is generated automatically upon role creation (see note) |
Assigning permissions to roles
As we've mentions, roles are defined by the scope of permissions that the us ers holding them can perform. Note that you can assign permissions to roles at a later stage, and not necessarily when you create a new role. To assign permissions to roles, follow these steps:
- Go to [ENVIRONMENT] → Entitlements → Roles, pick a role, and go to the permissions tab adjacent to the role's settings (see screenshot).
- Click “Assign permissions” and choose the permissions you would like to add to this role
- Click ‘Save’ to add the role to the role table
Edit existing roles
To go back and edit an existing role, click on the role line in the table and edit its settings.
Custom roles
You can let your account create their own custom roles by enabling the Roles page in the self-service portal and defining permissions. Note that to use Custom Roles, your app must have Role-based Authorization enabled in your back office, like so:
System roles - system roles apply to all accounts. They are visible both in your dashboard and self-service portal.
Custom roles - custom roles can be devised and customized by your end users via their self-service portal and are subject to the permissions you allow your accounts to assign.
Classifying permissions
Permissions comprise the roles given to your accounts' users and define their scope of action within your app. When creating permissions, you must decide which of them can be assigned to Custom roles created by your accounts, which cannot, and which will be added by default.
To configure your permissions settings, go to Configurations → Entitlements → Permissions. A new (or existing) permission will be comprised of a Name, Description, Category, Key (the indication of the permission in the user's JWT), and a Classification type (Assignable/Never/Always). The Classification type indicates whether that permission can be assigned to a custom role. Permission classification types are:
Never: Custom roles can never use these permissions.
Assignable: Permissions that accounts can assign to their custom role.
Always: Custom roles created by accounts will always include this permission.
Classification type
Classification type
Note that permission's Classification Type is set to Assignable by default. You can always change its classification type via the drop down menu.
Permissions with a Never classification are typically reserved for administrative, super-users, or system permissions that should not be customizable by accounts.
Permission with an Always classification are essential to the core functionality of the application and ensure that a custom role has a minimum requirment of default permissions.
Read more about custom roles in self-service portal, here.
Roles behind the scenes
When Frontegg generates a user/API M2M access token (JWT), it includes a ‘roles’ array containing the role keys associated with this user and a ‘permissions’ array with all the permission keys contained in those roles.
Roles and token expiration
Roles and token expiration
User roles are embedded within the user's JWT. When a role is modified, the new permissions will only take effect once the current token expires and a new one is issued. To prevent potential security risks and ensure that user permissions remain up-to-date, consider shortening the JWT's lifespan. You can adjust this setting by going to [ENVIRONMENT] → Authentication → JWT → Token Expiration.
Enforcing roles and permissions
Enforcing roles and permissions
Frontegg backend SDKs can verify the JWT and enforce roles and permissions for you. You can specify the ‘permissions’ and/or ‘roles’ required for a certain operation.Learn more.
Roles via APIs
You and your customers can perform multiple actions relating to roles via API: