Roles are essentially a collection of permissions that can be assigned to users.
Roles and permissions are crucial for ensuring security and compliance in B2B platforms. They help maintain the integrity of the platform by limiting access to sensitive information and functions to authorized users only.


Frontegg's role-based solution for managing users makes it easy to implement and assign roles giving you maximum ability to customize which users can access the various parts of your application. Role-based access control is a very common approach for restricting access to parts of an application to only authorized users.

A user's access to information and functionality in your application is defined by the roles assigned to the user. Every user has one or more roles. Each role is defined by the group of permissions assigned to that role. Each permission corresponds to the ability to do something in your application.

The way you design roles in Frontegg is intuitive and behaves as you would expect from any standard role-based system. We do, however, have a few unique features explained in our guides.

With just a few clicks you can define multiple roles and assign them to users. Read more about permissions in this guide.

How to manage roles for your app

Roles and permissions exist in every environment you decide to use (Development, Staging, QA, and Production). In order to get to the roles page and create roles, go to the Frontegg Portal → {Environment} → Authorization → Roles

Frontegg roles and defaults

By default, Frontegg comes with two roles already set up with permissions; Admin and Read Only roles. You can use, edit or delete them.

You can set roles and attach them to users. This action can happen in two different ways:

In the Backoffice - When you will add users to different accounts.

By your customer within the admin portal - when inviting new users. Users must assign the invited user a role.


Role Properties

NameThis property will be presented to all users when inviting others on the Frontegg portal within the Backoffice or when adding users to accounts in your app. Try to make it descriptive.
DescriptionThe description is intended to help you and your teammates understand the role internally.
KeyAn internal identifier that must be unique. As mentioned above, the JWT includes a ‘roles’ array which contains the role keys associated with that user.
LevelA role level can refer to the level of authority or privilege associated with a specific role for a user. Usually, higher role levels have more permissions and access than lower role levels. Users can only apply roles (to other users) with levels lower than theirs.
Permissions listAn individual permission allows someone to perform a specific task, such as uploading a video or editing a profile. Essentially, each role contains a set of permissions assigned to it.
Assigned accountsThe role can be assigned to a specific account or all accounts in the environment.

Roles table and actions

In the roles table, you can see all roles created by Frontegg (Admin and Read only roles) and by you (custom roles).

  1. Search bar - gives you the option to search for a specific role
  2. Filters - you can filter roles by levels
  3. Delete a role - use the three dots on the right side of each role line to delete it.


Delete a role

In the case of deleting a role, make sure there are no users without any roles.

Role Creation and Editing

Create a new role by clicking on the "Add new role" button.

On the Settings tab add the following details:

Nameeach role must have a unique name.
Descriptionwe advise you to add a description that will help you manage your roles.
Keyadd a unique key, which will be used to identify the role.
Levela numeric input that helps you manage role hierarchy. Roles can only invite/assign roles with a level equal to or greater than their own role level.
Default roleWhen you or other teammates on the Frontegg portal will add users to accounts, you will be able to set default roles as ‘suggested’ in the backoffice. Please note, this can be reversed when adding new users.
Select accountas default, a role is set to all accounts in an environment, but, you can decide to attach it to a specific account. In that way, just one account in that environment will be able to see and use the role. Once you click on the Save button, you won’t be able to reverse the decision. (You will still be able to delete the role and change the settings though)


Default role

Make sure you have at least one role you include as "Default". This role will be added to a user when signing up.

On the Permissions tab you are able to add new permissions:

  1. Click on “Assign Permissions”
  2. Mark the permissions you would like to add to this role
  3. Click “Assign permissions”
  4. Click ‘Save’ to add the role to the role table


A role can be saved without permissions and you can add those later on.

Edit existing roles

In order to go back and edit an existing role, click on the role line in the table and edit its settings.

How does roles work in Frontegg?

When Frontegg generates a user/API M2M access token (JWT), it includes a ‘roles’ array which contains the role keys associated with this user, and also a ‘permissions’ array with all the permission keys contained in those roles.

The Frontegg backend SDKs can verify the JWT and enforce roles and permissions for you, and you can specify the ‘permissions’ and/or ‘roles’ that are required for a certain operation. See more details on the implementation here.

Wrapping it all up - Who uses roles and where?

  1. Setting up roles and permissions on each environment (this guide explains how you can do that)
  2. Adding/ editing roles for specific users within the backoffice
  3. Inviting users to an account within the backoffice

Your users can invite others and attach roles via admin portal

Going live checklist

  1. Make sure you’ve enabled the roles and permission option under the authorization → Roles (in each environment).
  2. In case you created custom roles and added custom permissions, make sure you’ve added them to your code to be enforced.
  3. Create roles and permissions in one of the testing environments before moving them to Production.
    Add a new test user with that role and validate the enforcement on your side.
  4. Move the roles and Permissions to Production

Additional resources

APIs related to Roles

  1. Get roles
  2. Create roles
  3. Delete role
  4. Update role
  5. Set multiple permissions to a role

See next