Recommendations on designing Roles and permissions

Our team is adopting roles and permissions, and until now everything works great. We are now looking for some design guidance, in terms of how to specify roles and permissions.

We are internally debating the idea of a “base” role, giving, for example, view access.
Then admin users could have an “admin” role, giving them delete permissions (without specifying read permissions).

The alternative would be that the “admin” role also includes read permissions.

Do you have any experience to share - pros and cons?

Hi @alexab,

I think you could be successful with either implementation, as long as you are consistent. With that being said, sure there are trade-offs.

How are you planning on assigning the base permission? Programmatically in a rule (example)? If so, you will have the read permission on every user, and will have the redundant read permission on admin. But is that really a problem? Not necessarily according to the additive model of roles and permissions described here.

Are roles mutually exclusive in your implementation? Will you need to check if a user is a base user and not an admin? If so, you will want admin to have all the permissions of a base user, and not have to perform a function checking all user roles to confirm they are only base level.

Are you only checking permissions? Or are you checking roles in the token (via a custom claim outlined here). Or are you relying on permissions to be descriptive enough to manage access. If you are only using roles to assign permissions to users, and not checking if a user has a role in a token, but rather if the user has permission, then it doesn’t matter as much how the permissions are assigned, just that they are correctly assigned.

I will admit, I have not seen every implementation of roles and permissions, and there may be more granular advice depending on your scenario, but generally you can achieve what you are describing multiple ways.

Hope this helps!


Hi @dan.woda - thanks for your reply.

We have decided to rely only on permissions, so I guess in that case it does not matter so much. And since we don’t plan on checking of a user is a base user and not an admin, I think it will be relatively simple setup.

This was great help, but maybe roles/permissions setup could be a great topic for some Auth0 blogs/articles in the future :slight_smile:



Thats a great idea, thanks for the feedback. Also, thanks for updating us with your final solution, it might help guide others in the future.


1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.