Roles and permissions
Clerk supports modeling your own custom role and permissions to control access to resources within your application when you use organizations.
Roles
Roles determine a user's level of access to the organization. You can extend a role's privileges and access to resources by adding permissions.
Default roles
For each instance, there are currently two default roles:
- Admin (org:admin) - Offers full access to organization resources. Members with the admin role have all of the system permissions. They can fully manage the organization and organization memberships.
- Member (org:member) - Offers limited access to organization resources. Access to organization resources is limited to the "Read members" and "Read billing" permissions only, by default. They cannot manage the organization and organization memberships, but they can view information about other members in it.
The Creator role
When a user creates a new organization, they're automatically added as its first member and assigned the organization's designated Creator role. By default, that role is org:admin.
You cannot delete an organization role if it's used as the organization's Creator role. But, you can reassign the Creator role to any other role with the right permissions. For example, if you want to delete the admin role, you will have to assign another role as the Creator role.
The Creator role must at least have the following system permissions:
- Manage members (org:sys_memberships:manage)
- Read members (org:sys_memberships:read)
- Delete organization (org:sys_profile:delete)
To reassign the Creator role:
- In the Clerk Dashboard, navigate to Roles & Permissions.
- Create a new role or use an existing role from the list.
- Ensure that Manage members, Read members, and Delete organization system permissions are selected for the role.
- Open the three dots icon for the role.
- From the dropdown, select the Set as Creator role option.
The Default role for members
New organization members are initially assigned the Default role. By default, that role is org:member. This role is used as a pre-filled default in <OrganizationProfile /> invitations and for organization enrollment with verified domains.
You cannot delete an organization role if it's used as the organization's Default role. But, you can reassign the Default role to any other role.
To reassign the Default role:
- In the Clerk Dashboard, navigate to Roles & Permissions.
- Create a new role or use an existing role from the list.
- Open the three dots icon for the role.
- From the dropdown, select the Set as Default role option.
Custom roles
You can create up to 10 custom organization roles per application instance to meet your application needs. If you need more than 10 roles, contact support.
Custom roles can be granted permissions and access. For example, you can create a new role of Billing (org:billing) which can be used to group users who belong to a specific department of the organization and have permission to manage credit card information, invoices, and other resources related to billing.
To create a new role:
- In the Clerk Dashboard, navigate to Roles & Permissions
- Select Add role.
- Give the role a name, a key to reference it by, and a description. The final key will follow the format org:<role>.
- Select Save.
Change a user's role
You can change a user's role in the Clerk Dashboard, or in your application, such as in the <OrganizationSwitcher /> component.
To change a user's role in the Clerk Dashboard:
- In the top in the Clerk Dashboard, select Organizations and select an organization.
- Select the Members tab.
- In the list of members, find the one whose role you want to change.
- Select another role from their role dropdown.
Delete a role
You cannot delete a role that is still assigned to members of an organization. Change the members to a different role before completing the following steps.
- In the Clerk Dashboard, navigate to Roles & Permissions.
- Select the three dots icon next to the role.
- Select Delete role.
Permissions
Permissions grant users privileged access to resources and operations, like creating and deleting. Clerk supports two types of permissions: system permissions and custom permissions.
System permissions
Clerk provides a set of system permissions that power Clerk's Frontend API and organization-related Clerk components. These permissions serve as the baseline required for Clerk to operate effectively.
Clerk's system permissions consist of the following:
- Manage organization (org:sys_profile:manage)
- Delete organization (org:sys_profile:delete)
- Read members (org:sys_memberships:read)
- Manage members (org:sys_memberships:manage)
- Read domains (org:sys_domains:read)
- Manage domains (org:sys_domains:manage)
- Read billing (org:sys_billing:read)
- Manage billing (org:sys_billing:manage)
You can assign these system permissions to any role.
Custom permissions
Custom permissions let you define fine-tuned access control within your organization. Each permission is tied to a feature, and can be assigned to one or more roles. To create a custom permission, you must first create a role (e.g. sales) and a feature within that role (e.g. invoices). Once both exist, you can define specific permissions (e.g. create) related to that feature.
To create a new permission:
- In the Clerk Dashboard, navigate to Roles & Permissions.
- Create a new role or use an existing role from the list.
- Under Custom permissions, select Create permission under the feature you want to create the permission for. If there are no features, you'll need to create a new one first. Select Create feature and fill in the required fields. Once finished, the newly created feature will appear in the list, and the Create permission button will appear.
- Give the permission a name, a key to reference it by, and a description. The final key will follow the format org:<feature>:<permission>.
- Select Create permission.
You can also create a custom permission by navigating to the Features tab in the Clerk Dashboard.
Verify a user's role or permission
It's best practice to always verify whether or not a user is authorized to access sensitive information, important content, or exclusive features. Authorization is the process of determining the access rights and privileges of a user, ensuring they have the necessary permissions to perform specific actions. To perform authorization checks using a user's role or permission, see the guide on authorizing users.
Next steps
- Learn how to limit access to content or entire routes based on a user's role or permissions
- Learn how to automatically invite users to an organization based on their email domain
- Learn how to manually invite users to an organization
- Learn how to automatically add users to an organization based on their email domain
Feedback
Last updated on