Can You Create Read-Only Roles in FusionAuth?

wesley

We are evaluating the best permissions to assign different individuals in our QA and Production FusionAuth instances.

From the documentation, it seems that roles for tenants and applications are either create/update or delete, with no built-in read-only roles. Additionally, it appears that we cannot modify the roles for the default FusionAuth application.

Questions:

1. Is there a way to introduce read-only roles in FusionAuth?
2. If not, is there a plan to add this functionality in a future release?
3. We want to grant some users view-only access without allowing modifications—how can we achieve this?

wesley

1. Existing Role Limitations in FusionAuth

• FusionAuth provides predefined Admin UI roles, which are not modifiable.
• You can review the available roles here:
  FusionAuth Admin UI Roles
• The default FusionAuth application roles cannot be changed, which means read-only roles are not currently available.

2. Requesting Read-Only Roles as a Feature

• FusionAuth does not currently support read-only access roles for applications or tenants.
• The likely reason for this is that users who need to view application/tenant properties often also need to update them.
• However, you can submit a feature request to suggest adding read-only roles:
  Submit a Feature Request

3. Workaround: Implement a Custom Read-Only View

If immediate read-only access is required, consider:

• Using the FusionAuth APIs to create a custom dashboard where users can view but not edit data.
• Relevant APIs for this purpose:
  • Application API
  • Tenant API

Summary

• No built-in read-only roles exist for applications or tenants.
• FusionAuth Admin UI roles are not modifiable.
• You can request read-only roles as a feature via GitHub.
• A workaround is to build a custom, API-based read-only view.