Breached password detection is a critical component of secure applications.    Read the white paper

FusionAuth logo
FusionAuth logo
  • Features
    FusionAuth Reactor

    FusionAuth Reactor is a powerful suite of features developed to extend FusionAuth's core functionality.

    • Flexible Architecture   Flexible Architecture
    • Auth the Way You Want It   Auth the Way You Want It
    • Security & Compliance   Security & Compliance
    • Ultimate Password Control   Ultimate Password Control
    • Customizable User Experience   Customizable User Experience
    • Advanced Registration Forms   Advanced Registration Forms
    • Built for Devs   Built for Devs
    • User Management & Reporting   User Management & Reporting
    • Scalability   Scalability
    • Breached Password Detection   Breached Password Detection
    • Connectors   Connectors
    • FusionAuth Reactor   FusionAuth Reactor
  • Pricing
  • Docs
  • Downloads
  • Resources
    FusionAuth Resources
    • Upgrade from SaaS
    • Upgrade from Open Source
    • Upgrade from Home Grown
    • Blog   Blog
    • Forum   Forum
    • Community & Support   Community & Support
    • Customer & Partners   Customers & Partners
    • Video & Podcasts   Videos & Podcasts
    • Tech Guides   Getting Started
  • Expert Advice
    Expert Advice for Developers

    Learn everything you need to know about authentication, authorization, identity, and access management from our team of industry experts.

    • Authentication   Authentication
    • CIAM   CIAM
    • Identity Basics   Identity Basics
    • OAuth   OAuth
    • Security   Security
    • Tokens   Tokens
    • Dev Tools   Dev Tools
  • Account
Navigate to...
  • Welcome
  • Getting Started
  • 5-Minute Setup Guide
  • Reactor
  • Core Concepts
    • Overview
    • Users
    • Roles
    • Groups
    • Registrations
    • Applications
    • Tenants
    • Identity Providers
    • Authentication and Authorization
    • Integration Points
    • Roadmap
  • Installation Guide
    • Overview
    • System Requirements
    • Server Layout
    • Cluster
    • Docker
    • Fast Path
    • Kickstart™
    • Homebrew
    • Packages
    • Database
    • FusionAuth App
    • FusionAuth Search
    • Securing
    • Upgrading
  • APIs
    • Overview
    • Authentication
    • Errors
    • Actioning Users
    • Applications
    • Audit Logs
    • Connectors
      • Overview
      • Generic
      • LDAP
    • Consent
    • Emails
    • Event Logs
    • Families
    • Forms
    • Form Fields
    • Groups
    • Identity Providers
      • Overview
      • Apple
      • Facebook
      • Google
      • HYPR
      • Twitter
      • OpenID Connect
      • SAML v2
      • External JWT
    • Integrations
    • JWT
    • Keys
    • Lambdas
    • Login
    • Passwordless
    • Registrations
    • Reports
    • System
    • Tenants
    • Themes
    • Two Factor
    • Users
    • User Actions
    • User Action Reasons
    • User Comments
    • Webhooks
  • Client Libraries
    • Overview
    • Dart
    • Go
    • Java
    • JavaScript
    • .NET Core
    • Node
    • PHP
    • Python
    • Ruby
    • Typescript
  • Themes
    • Overview
    • Localization
    • Examples
  • Email & Templates
    • Overview
    • Configure Email
    • Email Templates
  • Events & Webhooks
    • Overview
    • Events
    • Writing a Webhook
    • Securing Webhooks
  • Example Apps
    • Overview
    • Go
    • Java
    • JavaScript
    • .NET Core
    • PHP
    • Python
    • Ruby
  • Lambdas
    • Overview
    • Apple Reconcile
    • External JWT Reconcile
    • Facebook Reconcile
    • Google Reconcile
    • HYPR Reconcile
    • JWT Populate
    • LDAP Connector Reconcile
    • OpenID Connect Reconcile
    • SAML v2 Populate
    • SAML v2 Reconcile
    • Twitter Reconcile
  • Identity Providers
    • Overview
    • Apple
    • Facebook
    • Google
    • HYPR
    • Twitter
    • OpenID Connect
      • Overview
      • Azure AD
      • Github
      • Discord
    • SAML v2
      • Overview
      • ADFS
    • External JWT
      • Overview
      • Example
  • Connectors
    • Overview
    • Generic Connector
    • LDAP Connector
    • FusionAuth Connector
  • Integrations
    • Overview
    • CleanSpeak
    • Kafka
    • Twilio
  • OpenID Connect & OAuth 2.0
    • Overview
    • Endpoints
    • Tokens
  • SAML v2 IdP
    • Overview
    • Google
    • Zendesk
  • Plugins
    • Writing a Plugin
    • Password Encryptors
  • Guides
    • Overview
    • Advanced Registration Forms
    • Breached Password Detection
    • Migration
    • Passwordless
    • Securing Your APIs
    • Silent Mode
  • Tutorials
    • Overview
    • Setup Wizard & First Login
    • Register/Login a User
    • Migrate Users
    • JSON Web Tokens
    • Authentication Tokens
    • Start and Stop FusionAuth
    • Switch Search Engines
    • User Account Lockout
    • Two Factor
  • Reference
    • CORS
    • Configuration
    • Data Types
    • Known Limitations
    • Password Encryptors
  • Release Notes
  • Troubleshooting

Roles

Overview

Roles in FusionAuth are associated with an application. You can define as many roles as you want in an application. There are no limits on the number of roles a user or a group can have.

Roles are application specific and may be specific to the domain of the application. Roles are typically used by APIs and applications to control access to functionality. For example, Zendesk presents a different user interface to users with the agent role than to users without that role.

For a further example, an e-commerce application may have the following roles:

  • admin

  • seller

  • shopper

On the other hand, a content management system may have these roles:

  • admin

  • editor

  • contributor

  • subscriber

Roles are available in the JWT upon successful authorization and are also returned as part of the user’s registrations.

You can associate roles with users directly via their registration. Or you can assign an application role to a group, and then any users in that group who have access to that application will have that role.

Role Attributes

Roles in FusionAuth have the following attributes:

Name Required

The name of the role. This value should be short and descriptive. Roles can only be created and deleted, only the role description may be modified.

Default Optional

One or more roles may be marked as default. A default role will be automatically added to new user registrations when no roles are explicitly provided on the API request.

Super Role Optional

A role may be optionally marked as a super user role. This indicator is just a marker to indicate to you that this role encompasses all other roles. It has not affect on the usage of the role.

Description Optional

An optional description to better describe the intended use of this role.

FusionAuth Application Roles

The FusionAuth application which provides the administrative user interface for the FusionAuth instance provides a number of built-in roles. These can be assigned to any user registered with the FusionAuth admin application. These roles control access to functionality within the FusionAuth administrative user interface.

These roles are used only internally to manage authorization within the FusionAuth administrative user interface application.

These roles are not global and are not present in any other applications for which FusionAuth provides authentication, authorization or user management.

Below you can see the administrative user interface screen where you assign roles in the FusionAuth application to a user.

FusionAuth application roles

In general, any role ending in _viewer can view entities of a particular type, any role ending in _manager can add or edit the entities, and any role ending in _deleter can delete entities.

Table 1. FusionAuth application roles
Name Id Description

admin

631ecd9d-8d40-4c13-8277-80cedb8236e2

Can manage everything, including creating new users with administrator privileges.

api_key_manager

631ecd9d-8d40-4c13-8277-80cedb8236e3

Can add and edit API keys.

application_deleter

631ecd9d-8d40-4c13-8277-80cedb8236e4

Can delete applications.

application_manager

631ecd9d-8d40-4c13-8277-80cedb8236e5

Can add and edit applications.

audit_log_viewer

631ecd9d-8d40-4c13-8277-80cedb8236e6

Can view audit logs.

connector_deleter

631ecd9d-8d40-4c13-8277-80cedb823700

Can delete Connectors. Available since 1.18.

connector_manager

631ecd9d-8d40-4c13-8277-80cedb823701

Can add and edit Connectors. Available since 1.18.

consent_deleter

631ecd9d-8d40-4c13-8277-80cedb8236fc

Can delete consents.

consent_manager

631ecd9d-8d40-4c13-8277-80cedb8236fd

Can addd and edit consents.

email_template_manager

631ecd9d-8d40-4c13-8277-80cedb8236e7

Can add and edit email templates.

event_log_viewer

631ecd9d-8d40-4c13-8277-80cedb8236fa

Can view the event log.

form_deleter

631ecd9d-8d40-4c13-8277-80cedb823702

Can delete forms and form fields. Available since 1.18.

form_manager

631ecd9d-8d40-4c13-8277-80cedb823703

Can add and edit forms and form fields. Available since 1.18.

group_deleter

631ecd9d-8d40-4c13-8277-80cedb8236f6

Can delete groups.

group_manager

631ecd9d-8d40-4c13-8277-80cedb8236f5

Can add and edit groups.

key_manager

631ecd9d-8d40-4c13-8277-80cedb8236fb

Can add and edit keys.

lambda_manager

631ecd9d-8d40-4c13-8277-80cedb8236f9

Can add and edit lambdas.

reactor_manager

631ecd9d-8d40-4c13-8277-80cedb8236ff

Can add and edit reactor settings. Available since 1.15.

report_viewer

631ecd9d-8d40-4c13-8277-80cedb8236e8

Can view reports.

system_manager

631ecd9d-8d40-4c13-8277-80cedb8236e9

Can add and edit system configuration.

tenant_deleter

631ecd9d-8d40-4c13-8277-80cedb8236f8

Can delete tenants.

tenant_manager

631ecd9d-8d40-4c13-8277-80cedb8236f7

Can add and edit tenants.

theme_manager

631ecd9d-8d40-4c13-8277-80cedb8236fe

Can add and edit themes.

user_action_deleter

631ecd9d-8d40-4c13-8277-80cedb8236f0

Can delete user actions.

user_action_manager

631ecd9d-8d40-4c13-8277-80cedb8236f1

Can add and edit user actions.

user_deleter

631ecd9d-8d40-4c13-8277-80cedb8236f2

Can delete users.

user_manager

631ecd9d-8d40-4c13-8277-80cedb8236f3

Can add and edit users.

user_support_manager

631ecd9d-8d40-4c13-8277-80cedb823704

Allows for a limited scope of user management. See below. Available since 1.23.

user_support_viewer

631ecd9d-8d40-4c13-8277-80cedb823705

Can view user information. Available since 1.23.

webhook_manager

631ecd9d-8d40-4c13-8277-80cedb8236f4

Can add or edit webhooks.

The user_support_manager role is a role tuned for tier 1 technical support personnel and has a mix of capabilities. A user with such a role can:

  • Add a user.

  • Edit a user, except for any identity information that could be used to authenticate. For example, the email and username cannot be modified.

  • Add a registration with no role management. If a new registration is created it would receive the default roles only.

  • Edit a registration with no role modification.

  • Delete a registration.

  • View a registration.

  • Send a forgot password request.

  • Send a verify email request.

  • Require a password change at next login.

  • Lock a user account.

  • Unlock a user account.

  • Modify 2FA settings if available.

  • Action a user.

  • Add a comment to a user.

  • Manage group membership.

  • Manage family membership.

  • Manage consents.

  • Manage sessions (refresh tokens).

Quick Links

  • Download
  • Pricing
  • Enterprise Sales FAQ
  • Contact Us
  • Jobs (come work with us)
  • My Account

Resources

  • Docs
  • Blog
  • Community & Support
  • Upgrade from SaaS
  • Upgrade from Homegrown
  • Upgrade from Open Source

Everything Else

  • Privacy Policy
  • Product Privacy Policy
  • License
  • License FAQ
  • Security (contact, bug bounty, etc)
  • Technical Support

Connect with Us

logo
Subscribe for Updates
We only send dev friendly newsletters. No marketing fluff!
© 2020 FusionAuth