Custom Roles
Create and manage organization-specific roles through the UI.
Custom roles allow organizations to create roles tailored to their specific needs without modifying code. Each organization can define its own roles with custom permissions.
Overview
While the static RBAC configuration defines app-wide roles, custom roles are:
- Created per-organization through the UI
- Stored in the database
- Configurable without deployments
Enabling Custom Roles
To enable custom roles, you need to set the NEXT_PUBLIC_ENABLE_CUSTOM_ROLES environment variable to true.
apps/web/.env
NEXT_PUBLIC_ENABLE_CUSTOM_ROLES=trueThis feature is disabled by default.
Accessing Roles Management
Navigate to Settings → Roles to manage custom roles.
- Route:
/settings/roles - Permissions: Requires
ac:readpermission (admin or owner)
Default Roles
Three roles come pre-configured and cannot be modified:
| Role | Level | Description |
|---|---|---|
| Owner | 100 | Full organization control |
| Admin | 50 | Manage members and settings |
| Member | 10 | Basic access |
Creating Custom Roles
Click Create Role to add a new custom role:
- Name — Unique identifier (lowercase, hyphens allowed)
- Position — Where in hierarchy relative to default roles
- Description — Optional explanation of the role's purpose
- Permissions — Configure via the Permission Matrix
Position Options
Custom roles are inserted relative to existing roles:
| Position | Hierarchy Level | Permissions Template |
|---|---|---|
| Above Admin | 75 | Admin-level |
| Between Admin and Member | 30 | Member-level |
| Below Member | 5 | Member-level |
Permission Matrix
The permission matrix provides fine-grained control:
| Resource | Available Actions |
|---|---|
| Organization | read, update, delete |
| Member | create, read, update, delete |
| Invitation | create, read, update, delete, cancel |
| Billing | read, update |
| Access Control | read |
Check the actions to grant for each resource.
Viewing Role Details
Click the View action to see a role's complete permission configuration in a read-only dialog.
Editing Custom Roles
Click Edit from the actions menu to modify:
- Role name
- Description
- Permission assignments
Note: Default roles (owner, admin, member) cannot be edited.
Deleting Custom Roles
To delete a custom role:
- Ensure no members are assigned the role
- Click Delete from the actions menu
- Confirm the deletion
If members are assigned to the role, reassign them first.
Using Custom Roles
Once created, custom roles appear automatically in:
- Invitation dialog — Assign role when inviting members
- Update role dialog — Change existing member roles
- Members table — Role badges display correctly
Static vs Dynamic Roles
| Aspect | Static Config | Custom Roles |
|---|---|---|
| Defined in | rbac.config.ts | Database |
| Scope | All organizations | Per-organization |
| Requires deploy | Yes | No |
| Best for | App-wide roles | Organization-specific needs |
Both approaches can be used together. Static roles provide the foundation, while custom roles offer flexibility.
Server-Side Integration
Custom roles integrate with the existing permission system:
// Check permissions - works with custom rolesconst canInvite = await auth.api.hasPermission({ headers: await headers(), body: { permissions: { member: ['create'] }, },});The canTargetRole function also supports custom roles when provided the organization's role hierarchy.
Related Documentation
- Roles & Permissions — Static RBAC configuration
- Permissions API — Server-side permission checking
- Invitations — Member invitation workflow