Skip to Content
Clerk logo

Clerk Docs

Ctrl + K
Go to clerkstage.dev

Roles and Permissions

Clerk supports modeling your own custom Roles and Permissions to control access to resources within your application when you use Organizations.

Roles

Roles determine a user's level of access to the Organization. You can extend a Roles privileges and access to resources by adding Permissions.

Default Roles

For each instance there are currently two default roles:

  • Admin (org:admin) Offers full access to Organization resources. Members with the admin role have all the System Permissions. They can fully manage the Organization and Organization memberships.
  • Member (org:member) Offers limited access to Organization resources. Access to Organization resources is limited to only Read members Permission by default. They cannot manage the Organization and Organization memberships but can view information about other members in it.

If you enabled Organizations for your Application before December 2023, the Admin Role is admin and the Member Role is basic_member, instead of org:admin and org:member

Custom Roles

You can create up to 10 of custom Organization Roles per application instance to meet your application needs. If you need more than 10 Roles, reach out to support@clerk.dev.

Custom Roles can be granted Permissions and access. For example you can create a new Role of “billing” (org:billing) which can be used to group users who belong to a specific department of the Organization and have permission to manage credit card information, invoices, and other resources related to billing.

The Creator Role

When a user creates a new Organization, that user is automatically added as the Organization's first member and assigned the Creator Role. By default, Admin is the Creator Role.

You can't delete a Role if it's used as the Organization Creator Role. However, you can reassign the Creator Role to another role.

Permissions

Permissions grant users privileged access to resources and operations like creating and deleting. Clerk supports two types of permissions, System and Custom.

System Permissions

Clerk has a set of System Permissions that power Clerk’s Frontend API and Organization related Clerk Components. They are a baseline set of permissions that Clerk needs to operate functionally.

Clerk’s System Permissions consist of the following:

  • Manage Organization (org:sys_profile:manage)
  • Delete Organization (org:sys_profile:delete)
  • Read members (org:sys_memberships:read)
  • Manage members (org:sys_memberships:manage)
  • Read domains (org:sys_domains:read)
  • Manage domains (org:sys_domains:manage)

You can assign these System Permissions to Roles.

Custom Permissions

When creating a new Permission, follow the format org:<resource>:<action>. You can then assign the Permission to an existing Role.

For example, you could create a new Role “sales” (org:sales) and a new Permission “Create invoices” (org:invoices:create) which allows only users with this Permission to edit invoices. You could also grant this Permission to the “billing” Role.

Next steps

What did you think of this content?

Clerk © 2023