Strapi Roles and Permissions Setup

Roles and Access Permissions in Strapi

Strapi uses two access mechanisms: Users & Permissions (for public API users) and Role-Based Access Control (for administrators in admin panel). Configuration via GUI in Settings → Roles or programmatically.

Users & Permissions (public API)

The users-permissions plugin manages tokens and public user roles:

Built-in roles:

• Public — unauthenticated requests
• Authenticated — authorized via JWT

# Get JWT token
POST /api/auth/local
{ "identifier": "[email protected]", "password": "password" }
# Response: { "jwt": "...", "user": {...} }

# Request with token
GET /api/articles
Authorization: Bearer <jwt-token>

Setting permissions via API:

// Programmatic permission setup on bootstrap
async bootstrap({ strapi }) {
  const publicRole = await strapi.query('plugin::users-permissions.role')
    .findOne({ where: { type: 'public' } })

  // Allow public read of articles
  await strapi.query('plugin::users-permissions.permission').updateMany({
    where: { role: publicRole.id, action: 'api::article.article.find' },
    data: { enabled: true },
  })
}

Custom Role

// Create role via Admin: Settings → Roles → Add new role
// Or programmatically:
const role = await strapi.query('plugin::users-permissions.role').create({
  data: {
    name: 'Premium User',
    description: 'User with access to premium content',
    type: 'premium',
  },
})

Admin Panel RBAC

For administrators — separate role system:

Built-in admin roles:

• Super Admin — full access
• Editor — content management
• Author — own records only

// Programmatic admin role creation
const editorRole = await strapi.query('admin::role').create({
  data: {
    name: 'Content Manager',
    description: 'Manage articles and categories only',
  },
})

// Assign permissions
await strapi.admin.services.permission.assignPermissions(editorRole.id, [
  { action: 'plugin::content-manager.explorer.read', subject: 'api::article.article' },
  { action: 'plugin::content-manager.explorer.create', subject: 'api::article.article' },
  { action: 'plugin::content-manager.explorer.update', subject: 'api::article.article' },
])

Field-level Permissions

// Restrict access to specific fields
await strapi.admin.services.permission.assignPermissions(roleId, [
  {
    action: 'plugin::content-manager.explorer.read',
    subject: 'api::article.article',
    properties: {
      fields: ['title', 'content', 'publishedAt'],  // only these fields
    },
  },
])

API Tokens (for server requests)

# Admin → Settings → API Tokens → Create new API Token
# Type: Read-only / Full access / Custom

// Usage
GET /api/articles
Authorization: Bearer <api-token>

Timeline

Setting up roles for editorial team (3–4 roles with different access levels) — 0.5–1 day.