Assign roles to users

Learn how to assign roles to users in your application using the dashboard, SDK, or automated provisioning

After registering roles and permissions for your application, Scalekit provides multiple ways to assign roles to users. These roles allow your app to make the access control decisions as scalekit sends them to your app in the access token.

Auto assign roles as users join organizations

By default, the organization creator automatically receives the admin role, while users who join later receive the member role. You can customize these defaults to match your application’s security requirements. For instance, in a CRM system, you may want to set the default role for new members to a read-only role like viewer to prevent accidental data modifications.

Go to Dashboard > Roles & Permissions > Roles tab
Select the roles available and choose defaults for organization creator and member

This automatically assigns these roles to every users who joins any organization in your Scalekit environment.

Let users assign roles to others API

Enable organization administrators to manage user roles directly within your application. By building features like “Change role” or “Assign permissions” into your app, you can provide a management experience without requiring administrators to leave your app.

To implement role assignment functionality, follow these essential prerequisites:

Verify administrator permissions: Ensure the user performing the role assignment has the admin role or an equivalent role with the necessary permissions. Check the permissions property in their access token to confirm they have role management capabilities.
Verify permissions
1 // Decode JWT and check admin permissions 2 const decodedToken = decodeJWT(adminAccessToken); 3 4 // Check if user has admin role or required permissions 5 const isAdmin = decodedToken.roles.includes('admin'); 6 const hasPermission = decodedToken.permissions?.includes('users.write') || 7 decodedToken.permissions?.includes('roles.assign'); 8 9 if (!isAdmin && !hasPermission) { 10 throw new Error('Insufficient permissions to assign roles'); 11 }
Verify permissions
1 # Decode JWT and check admin permissions 2 decoded_token = decode_jwt(access_token) 3 4 # Check if user has admin role or required permissions 5 is_admin = 'admin' in decoded_token.get('roles', []) 6 has_permission = any(perm in decoded_token.get('permissions', []) 7 for perm in ['users.write', 'roles.assign']) 8 9 if not is_admin and not has_permission: 10 raise PermissionError("Insufficient permissions to assign roles")
Verify permissions
1 // Decode JWT and check admin permissions 2 decodedToken, err := decodeJWT(accessToken) 3 if err != nil { 4 return ValidationResult{Success: false, Error: "Invalid token"} 5 } 6 7 // Check if user has admin role or required permissions 8 roles := decodedToken["roles"].([]interface{}) 9 permissions := decodedToken["permissions"].([]interface{}) 10 11 isAdmin := false 12 hasPermission := false 13 14 for _, role := range roles { 15 if role == "admin" { 16 isAdmin = true 17 break 18 } 19 } 20 21 for _, perm := range permissions { 22 if perm == "users.write" || perm == "roles.assign" { 23 hasPermission = true 24 break 25 } 26 } 27 28 if !isAdmin && !hasPermission { 29 return ValidationResult{Success: false, Error: "Insufficient permissions"} 30 }
Verify permissions
1 // Decode JWT and check admin permissions 2 Claims decodedToken = decodeJWT(accessToken); 3 4 @SuppressWarnings("unchecked") 5 List<String> userRoles = (List<String>) decodedToken.get("roles"); 6 @SuppressWarnings("unchecked") 7 List<String> permissions = (List<String>) decodedToken.get("permissions"); 8 9 // Check if user has admin role or required permissions 10 boolean isAdmin = userRoles != null && userRoles.contains("admin"); 11 boolean hasPermission = permissions != null && 12 (permissions.contains("users.write") || permissions.contains("roles.assign")); 13 14 if (!isAdmin && !hasPermission) { 15 throw new SecurityException("Insufficient permissions to assign roles"); 16 }

Collect required identifiers: Gather the necessary parameters for the API call:

user_id: The unique identifier of the user whose role you’re changing
organization_id: The organization where the role assignment applies
roles: An array of role names to assign to the user

1
// Structure and validate role assignment data
2
const roleAssignmentData = {
3
  user_id: targetUserId,
4
  organization_id: targetOrgId,
5
  roles: newRoles,
6
  // Additional metadata for auditing
7
  performed_by: decodedToken.sub,
8
  timestamp: new Date().toISOString()
9
};
10

11
// Validate required fields
12
if (!roleAssignmentData.user_id || !roleAssignmentData.organization_id || !roleAssignmentData.roles) {
13
  throw new Error('Missing required identifiers for role assignment');
14
}

1
# Structure and validate role assignment data
2
role_assignment_data = {
3
    'user_id': target_user_id,
4
    'organization_id': target_org_id,
5
    'roles': new_roles,
6
    # Additional metadata for auditing
7
    'performed_by': decoded_token.get('sub'),
8
    'timestamp': datetime.utcnow().isoformat()
9
}
10

11
# Validate required fields
12
if not all([role_assignment_data['user_id'],
13
          role_assignment_data['organization_id'],
14
          role_assignment_data['roles']]):
15
    raise ValueError("Missing required identifiers for role assignment")

1
// Structure and validate role assignment data
2
roleAssignmentData := map[string]interface{}{
3
    "user_id":         req.UserID,
4
    "organization_id": req.OrganizationID,
5
    "roles":          req.Roles,
6
    // Additional metadata for auditing
7
    "performed_by":   decodedToken["sub"],
8
    "timestamp":      time.Now().UTC().Format(time.RFC3339),
9
}
10

11
// Validate required fields
12
if req.UserID == "" || req.OrganizationID == "" || len(req.Roles) == 0 {
13
    return ValidationResult{Success: false, Error: "Missing required identifiers"}
14
}

1
// Structure and validate role assignment data
2
Map<String, Object> roleAssignmentData = new HashMap<>();
3
roleAssignmentData.put("user_id", request.userId);
4
roleAssignmentData.put("organization_id", request.organizationId);
5
roleAssignmentData.put("roles", request.roles);
6

7
// Additional metadata for auditing
8
roleAssignmentData.put("performed_by", decodedToken.getSubject());
9
roleAssignmentData.put("timestamp", Instant.now().toString());
10

11
// Validate required fields
12
if (request.userId == null || request.organizationId == null || request.roles == null) {
13
    throw new IllegalArgumentException("Missing required identifiers for role assignment");
14
}

Call Scalekit SDK to update user role: Use the validated data to make the API call that assigns the new roles to the user through the Scalekit membership update endpoint.

1
// Use case: Update user membership after validation
2
const validationResult = await prepareRoleAssignment(
3
  adminAccessToken,
4
  targetUserId,
5
  targetOrgId,
6
  newRoles
7
);
8

9
if (!validationResult.success) {
10
  return res.status(403).json({ error: validationResult.error });
11
}
12

13
// Initialize Scalekit client (reference installation guide for setup)
14
const scalekit = new ScalekitClient(
15
  process.env.SCALEKIT_ENVIRONMENT_URL,
16
  process.env.SCALEKIT_CLIENT_ID,
17
  process.env.SCALEKIT_CLIENT_SECRET
18
);
19

20
// Make the API call to update user roles
21
try {
22
  const result = await scalekit.membership.updateMembership({
23
    user_id: validationResult.data.user_id,
24
    organization_id: validationResult.data.organization_id,
25
    roles: validationResult.data.roles
26
  });
27

28
  console.log(`Role assigned successfully:`, result);
29
  return res.json({
30
    success: true,
31
    message: "Role updated successfully",
32
    data: result
33
  });
34
} catch (error) {
35
  console.error(`Failed to assign role: ${error.message}`);
36
  return res.status(500).json({
37
    error: "Failed to update role",
38
    details: error.message
39
  });
40
}

1
# Use case: Update user membership after validation
2
validation_result = prepare_role_assignment(
3
    access_token,
4
    target_user_id,
5
    target_org_id,
6
    new_roles
7
)
8

9
if not validation_result['success']:
10
    return jsonify({'error': validation_result['error']}), 403
11

12
# Initialize Scalekit client (reference installation guide for setup)
13
scalekit_client = ScalekitClient(
14
    env_url=os.getenv("SCALEKIT_ENVIRONMENT_URL"),
15
    client_id=os.getenv("SCALEKIT_CLIENT_ID"),
16
    client_secret=os.getenv("SCALEKIT_CLIENT_SECRET")
17
)
18

19
# Make the API call to update user roles
20
try:
21
    from scalekit.v1.memberships.memberships_pb2 import UpdateMembershipRequest
22

23
    request = UpdateMembershipRequest(
24
        user_id=validation_result['data']['user_id'],
25
        organization_id=validation_result['data']['organization_id'],
26
        roles=validation_result['data']['roles']
27
    )
28

29
    result = scalekit_client.memberships.update_membership(request=request)
30
    print(f"Role assigned successfully: {result}")
31

32
    return jsonify({
33
        'success': True,
34
        'message': 'Role updated successfully',
35
        'data': str(result)
36
    })
37

38
except Exception as error:
39
    print(f"Failed to assign role: {error}")
40
    return jsonify({
41
        'error': 'Failed to update role',
42
        'details': str(error)
43
    }), 500

1
// Use case: Update user membership after validation
2
validationResult := prepareRoleAssignment(ctx, accessToken, req)
3

4
if !validationResult.Success {
5
    http.Error(w, validationResult.Error, http.StatusForbidden)
6
    return
7
}
8

9
// Initialize Scalekit client (reference installation guide for setup)
10
scalekitClient := scalekit.NewScalekitClient(
11
    os.Getenv("SCALEKIT_ENVIRONMENT_URL"),
12
    os.Getenv("SCALEKIT_CLIENT_ID"),
13
    os.Getenv("SCALEKIT_CLIENT_SECRET"),
14
)
15

16
// Make the API call to update user roles
17
data := validationResult.Data.(map[string]interface{})
18
updateRequest := &scalekit.UpdateMembershipRequest{
19
    UserId:         data["user_id"].(string),
20
    OrganizationId: data["organization_id"].(string),
21
    Roles:          data["roles"].([]string),
22
}
23

24
result, err := scalekitClient.Membership().UpdateMembership(ctx, updateRequest)
25
if err != nil {
26
    log.Printf("Failed to assign role: %v", err)
27
    http.Error(w, "Failed to update role", http.StatusInternalServerError)
28
    return
29
}
30

31
log.Printf("Role assigned successfully: %+v", result)
32
json.NewEncoder(w).Encode(map[string]interface{}{
33
    "success": true,
34
    "message": "Role updated successfully",
35
    "data":    result,
36
})

1
// Use case: Update user membership after validation
2
ValidationResult validationResult = prepareRoleAssignment(accessToken, request);
3

4
if (!validationResult.success) {
5
    return ResponseEntity.status(403).body(Map.of("error", validationResult.error));
6
}
7

8
// Initialize Scalekit client (reference installation guide for setup)
9
ScalekitClient scalekitClient = new ScalekitClient(
10
    System.getenv("SCALEKIT_ENVIRONMENT_URL"),
11
    System.getenv("SCALEKIT_CLIENT_ID"),
12
    System.getenv("SCALEKIT_CLIENT_SECRET")
13
);
14

15
// Make the API call to update user roles
16
try {
17
    @SuppressWarnings("unchecked")
18
    Map<String, Object> data = (Map<String, Object>) validationResult.data;
19

20
    UpdateMembershipRequest updateRequest = UpdateMembershipRequest.newBuilder()
21
        .setUserId((String) data.get("user_id"))
22
        .setOrganizationId((String) data.get("organization_id"))
23
        .addAllRoles((List<String>) data.get("roles"))
24
        .build();
25

26
    UpdateMembershipResponse response = scalekitClient.memberships().updateMembership(updateRequest);
27
    System.out.println("Role assigned successfully: " + response);
28

29
    return ResponseEntity.ok(Map.of(
30
        "success", true,
31
        "message", "Role updated successfully",
32
        "data", response.toString()
33
    ));
34

35
} catch (Exception e) {
36
    System.err.println("Failed to assign role: " + e.getMessage());
37
    return ResponseEntity.status(500).body(Map.of(
38
        "error", "Failed to update role",
39
        "details", e.getMessage()
40
    ));
41
}

Handle response and provide feedback: Return appropriate success/error responses to the administrator and update your application’s UI accordingly.

1
// Success response handling
2
if (result.success) {
3
  // Update UI to reflect role change
4
  await updateUserInterface(targetUserId, newRoles);
5

6
  // Send notification to user (optional)
7
  await notifyUserOfRoleChange(targetUserId, newRoles);
8

9
  // Log the action for audit purposes
10
  await logRoleChange({
11
    performed_by: decodedToken.sub,
12
    target_user: targetUserId,
13
    organization: targetOrgId,
14
    old_roles: previousRoles,
15
    new_roles: newRoles,
16
    timestamp: new Date().toISOString()
17
  });
18
}

1
# Success response handling
2
if result.get('success'):
3
    # Update UI to reflect role change
4
    await update_user_interface(target_user_id, new_roles)
5

6
    # Send notification to user (optional)
7
    await notify_user_of_role_change(target_user_id, new_roles)
8

9
    # Log the action for audit purposes
10
    await log_role_change({
11
        'performed_by': decoded_token.get('sub'),
12
        'target_user': target_user_id,
13
        'organization': target_org_id,
14
        'old_roles': previous_roles,
15
        'new_roles': new_roles,
16
        'timestamp': datetime.utcnow().isoformat()
17
    })

1
// Success response handling
2
if success {
3
    // Update UI to reflect role change
4
    updateUserInterface(targetUserID, newRoles)
5

6
    // Send notification to user (optional)
7
    notifyUserOfRoleChange(targetUserID, newRoles)
8

9
    // Log the action for audit purposes
10
    logRoleChange(map[string]interface{}{
11
        "performed_by": decodedToken["sub"],
12
        "target_user": targetUserID,
13
        "organization": targetOrgID,
14
        "old_roles": previousRoles,
15
        "new_roles": newRoles,
16
        "timestamp": time.Now().UTC().Format(time.RFC3339),
17
    })
18
}

1
// Success response handling
2
if (response.getBody().containsKey("success") &&
3
    Boolean.TRUE.equals(response.getBody().get("success"))) {
4

5
    // Update UI to reflect role change
6
    updateUserInterface(targetUserId, newRoles);
7

8
    // Send notification to user (optional)
9
    notifyUserOfRoleChange(targetUserId, newRoles);
10

11
    // Log the action for audit purposes
12
    logRoleChange(Map.of(
13
        "performed_by", decodedToken.getSubject(),
14
        "target_user", targetUserId,
15
        "organization", targetOrgId,
16
        "old_roles", previousRoles,
17
        "new_roles", newRoles,
18
        "timestamp", Instant.now().toString()
19
    ));
20
}

Automate role assignment with directory groups (SCIM)

Use SCIM provisioning to map directory provider groups to your app roles. When administrators add users to groups in their directory, Scalekit sends events so your app can update roles automatically. This reduces manual changes and keeps access aligned with enterprise policies.

See the full guide at Group-based role assignment.