Roles

Overview

Roles in FusionAuth are associated with an application. You can define as many roles as you want in an application. There are no limits on the number of roles a user or a group can have.

Roles are application specific and may be specific to the domain of the application. Roles are typically used by APIs and applications to control access to functionality. For example, Zendesk presents a different user interface to users with the agent role than to users without that role.

For a further example, an e-commerce application may have the following roles:

admin
seller
shopper

On the other hand, a content management system may have these roles:

admin
editor
contributor
subscriber

Roles are available in the JWT upon successful authorization and are also returned as part of the user’s registrations.

You can associate roles with users directly via their registration. Or you can assign an application role to a group, and then any users in that group who have access to that application will have that role.

Role Attributes

Roles in FusionAuth have the following attributes:

Name Required: The name of the role. This value should be short and descriptive. Roles can only be created and deleted, only the role description may be modified.
Default Optional: One or more roles may be marked as default. A default role will be automatically added to new user registrations when no roles are explicitly provided on the API request.
Super Role Optional: A role may be optionally marked as a super user role. This indicator is just a marker to indicate to you that this role encompasses all other roles. It has not affect on the usage of the role.
Description Optional: An optional description to better describe the intended use of this role.

FusionAuth Application Roles

The FusionAuth application which provides the administrative user interface for the FusionAuth instance provides a number of built-in roles. These can be assigned to any user registered with the FusionAuth admin application. These roles control access to functionality within the FusionAuth administrative user interface.

These roles are used only internally to manage authorization within the FusionAuth administrative user interface application.

These roles are not global and are not present in any other applications for which FusionAuth provides authentication, authorization or user management.

Below you can see the administrative user interface screen where you assign roles in the FusionAuth application to a user.

In general, any role ending in _viewer can view entities of a particular type, any role ending in _manager can add or edit the entities, and any role ending in _deleter can delete entities.

Table 1. FusionAuth application roles
Name	Id	Description
`admin`	`631ecd9d-8d40-4c13-8277-80cedb8236e2`	Can manage everything, including creating new users with administrator privileges.
`api_key_manager`	`631ecd9d-8d40-4c13-8277-80cedb8236e3`	Can add and edit API keys.
`application_deleter`	`631ecd9d-8d40-4c13-8277-80cedb8236e4`	Can delete applications.
`application_manager`	`631ecd9d-8d40-4c13-8277-80cedb8236e5`	Can add and edit applications.
`audit_log_viewer`	`631ecd9d-8d40-4c13-8277-80cedb8236e6`	Can view audit logs.
`connector_deleter`	`631ecd9d-8d40-4c13-8277-80cedb823700`	Can delete Connectors. Available since 1.18.
`connector_manager`	`631ecd9d-8d40-4c13-8277-80cedb823701`	Can add and edit Connectors. Available since 1.18.
`consent_deleter`	`631ecd9d-8d40-4c13-8277-80cedb8236fc`	Can delete consents.
`consent_manager`	`631ecd9d-8d40-4c13-8277-80cedb8236fd`	Can addd and edit consents.
`email_template_manager`	`631ecd9d-8d40-4c13-8277-80cedb8236e7`	Can add and edit email templates.
`event_log_viewer`	`631ecd9d-8d40-4c13-8277-80cedb8236fa`	Can view the event log.
`form_deleter`	`631ecd9d-8d40-4c13-8277-80cedb823702`	Can delete forms and form fields. Available since 1.18.
`form_manager`	`631ecd9d-8d40-4c13-8277-80cedb823703`	Can add and edit forms and form fields. Available since 1.18.
`group_deleter`	`631ecd9d-8d40-4c13-8277-80cedb8236f6`	Can delete groups.
`group_manager`	`631ecd9d-8d40-4c13-8277-80cedb8236f5`	Can add and edit groups.
`key_manager`	`631ecd9d-8d40-4c13-8277-80cedb8236fb`	Can add and edit keys.
`lambda_manager`	`631ecd9d-8d40-4c13-8277-80cedb8236f9`	Can add and edit lambdas.
`reactor_manager`	`631ecd9d-8d40-4c13-8277-80cedb8236ff`	Can add and edit reactor settings. Available since 1.15.
`report_viewer`	`631ecd9d-8d40-4c13-8277-80cedb8236e8`	Can view reports.
`system_manager`	`631ecd9d-8d40-4c13-8277-80cedb8236e9`	Can add and edit system configuration.
`tenant_deleter`	`631ecd9d-8d40-4c13-8277-80cedb8236f8`	Can delete tenants.
`tenant_manager`	`631ecd9d-8d40-4c13-8277-80cedb8236f7`	Can add and edit tenants.
`theme_manager`	`631ecd9d-8d40-4c13-8277-80cedb8236fe`	Can add and edit themes.
`user_action_deleter`	`631ecd9d-8d40-4c13-8277-80cedb8236f0`	Can delete user actions.
`user_action_manager`	`631ecd9d-8d40-4c13-8277-80cedb8236f1`	Can add and edit user actions.
`user_deleter`	`631ecd9d-8d40-4c13-8277-80cedb8236f2`	Can delete users.
`user_manager`	`631ecd9d-8d40-4c13-8277-80cedb8236f3`	Can add and edit users.
`user_support_manager`	`631ecd9d-8d40-4c13-8277-80cedb823704`	Allows for a limited scope of user management. See below. Available since 1.23.
`user_support_viewer`	`631ecd9d-8d40-4c13-8277-80cedb823705`	Can view user information. Available since 1.23.
`webhook_manager`	`631ecd9d-8d40-4c13-8277-80cedb8236f4`	Can add or edit webhooks.

The user_support_manager role is a role tuned for tier 1 technical support personnel and has a mix of capabilities. A user with such a role can:

Add a user.
Edit a user, except for any identity information that could be used to authenticate. For example, the email and username cannot be modified.
Add a registration with no role management. If a new registration is created it would receive the default roles only.
Edit a registration with no role modification.
Delete a registration.
View a registration.
Send a forgot password request.
Send a verify email request.
Require a password change at next login.
Lock a user account.
Unlock a user account.
Modify 2FA settings if available.
Action a user.
Add a comment to a user.
Manage group membership.
Manage family membership.
Manage consents.
Manage sessions (refresh tokens).