The moment so long awaited by many Strapi users is here. Strapi custom roles and permissions (also known as RBAC) is available in the community edition starting from v4.8. For free. Without limitations.
Before Strapi v4.8, the free Community Edition RBAC was limited to only three predefined roles: SuperAdmin, Editor, and Author. Granular and custom roles and permissions were only available in the Enterprise Edition, with a limitation on the number of users for each plan.
After listening to the community feedback and analyzing the Strapi pricing model, we have decided to sunset the Strapi Enterprise Bronze or Silver plans and remove the limitations on the RBAC feature. As of today, all Strapi users who migrate to v4.8 are able to create an unlimited number of custom roles and permissions. We believe that this feature is indispensable to build efficient and secure content management processes and it should be accessible to all Strapi users and plugin developers.
Custom roles and permissions is one of the most powerful Strapi features, which provides Role-Based Access Control (RBAC) for users and groups.
RBAC is a security model that defines the permissions and actions that each user or group can perform within an application. This model provides a granular level of control over what fields, content types, plugins or settings users can access, edit, create, or delete within an application.
Role-Based Access Control allows you to create custom roles that are tailored to specific user needs. This means that you can define what actions a user can take within an application, based on their role, without having to give them full access to the entire system.
It also allows you to define custom conditions of permissions for any user. For example, you can define "field level" condition allowing access only to "invoices" where the amount is lower than $15K. If the Internationalization plugin is installed, you can define which authors should be granted privileges to update the "English" locale.
This level of granularity and flexibility is what makes the Strapi Role-Based Access Control system stand out from the competition. Please have a look at the documentation and this article about best practices to learn more.
This security feature is often a must-have in a wide range of industries and projects, including financial services, retail, telecom, government, healthcare, retail and more.
If you're looking to develop a Strapi application for managing a network of franchises, partner portals, or any distributed network and global communities comprising multiple subgroups or entities, this feature would prove extremely beneficial.
Here are some of the best practices on how to make most out of custom roles and permissions:
Define roles based on user needs: Define roles based on what users need to do within the application, rather than creating roles based on job titles or department names.
Limit permissions: Limit permissions to only what users need to do their job. Don't give users access to features or data that they don't need.
Enforce the lowest level of permissions first: each role should be strictly based on each contributor's responsibilities. Reduce risk, both from malicious intent and user errors by following the principle of least privilege.
Add granular CRUD permissions for each field: Set different permissions for each field in any content type for any Create, Read, Update or Delete operation.
Regularly review permissions: Regularly review permissions to ensure that users only have access to what they need. Remove permissions for users who no longer need them.
Use groups: Use groups to assign roles to multiple users at once, rather than assigning roles to individual users. This makes it easier to manage permissions for large numbers of users.
Audit permissions: Audit permissions regularly to ensure that they are being used appropriately. Check for any unusual or suspicious activity that may indicate a security breach.
We've recently announced changes to the Strapi Enterprise plans. Apart from custom roles and permissions becoming available in the Community Edition, here's what you need to know:
We've sunsetted the Strapi Enterprise Bronze and Silver on March 1st, 2023.
The Strapi Enterprise Gold plan is renamed Strapi Enterprise.
Bronze and Silver customers have until their renewal date to transition to Strapi Cloud (a new managed platform to boost your team velocity), Strapi Enterprise or Strapi Community Edition v4.8 and upcoming versions.
If your subscription period ends soon and you absolutely need the RBAC feature but can't migrate to Strapi v4.8, please send an email to firstname.lastname@example.org.
We are introducing the concept of "Seats" in our pricing model to align with our Strapi Cloud offering and avoid current confusion around the definition of Admin Users.
A new audit logs feature is now available in Strapi Enterprise.
If you have any questions regarding the Strapi Enterprise Edition, please have a look at this article or contact us directly:
Contact sales to learn more about the Enterprise Edition
Customers can contact email@example.com directly
The Strapi marketplace now lists more than 100 plugins, providers and custom fields. We thank all community members for contributing their work, allowing other Strapi users to easily extend their app.
Here are the new plugins, available on the Strapi Market:
Open AI - an official Strapi plugin that allows you to create Open AI completion from a prompt.
Get your plugin or provider listed on the Strapi Market and showcase your work to more than 20,000 monthly visitors. Here are all the resources you need to create and promote a plugin or provider and the submission form for listing it on the marketplace.
Meet the Strapi team members who worked on the latest feature, share your feedback, ask questions, and learn what’s coming next.
Join us on March 23rd, 10AM CST.
To create a new Strapi v4.8 project, simply run the following command:
npx create-strapi-app my-project --quickstart
We would love to hear what you think about the new features! Let us know in this forum thread.
Audit logs improvements, Data Transfer in Strapi v4.7
Relations and component reordering, data export & import, audit logs in Strapi v4.6
Strapi is an open-source product that grows thanks to community support and contributions.
Here's how you can help us improve the product:
Contribute to the project on Github
Share what features you'd love to have in our public roadmap
Create Strapi plugins and submit them to the Strapi market
Showcase the projects you built in Strapi Showcase
Join the Strapi Cloud Beta program
We appreciate each contribution and piece of feedback that you share. Stay tuned for more updates!