The Roles page (under Authorization → Manage) is where you compose what users (and credentials, and API keys) can do. The dashboard groups roles into Global (apply across every tenant in this application) and Tenant (scoped to a specific tenant). Click a role to edit its policies, assignees, and recent activity.
tenantId(optional) — when set, the role only applies inside that tenant.
userCount — how many users are currently assigned the role.
Roles don't carry permissions directly — that's policies' job. Two reasons: it makes "what does Admin actually mean?" answerable in one screen (look at the policies), and it makes refactoring trivial (swap a policy without touching every role that uses it).
The Global group covers roles that apply application-wide. A user assigned a global role gets those permissions in every tenant they belong to.
The Tenant group is scoped — the role only takes effect when checks are performed with that tenantId. Acme Corp's Admin role does not give the user any rights in Initech, even if both tenants exist in the same application.
# Create a global role (no tenantId)curl -X POST https://your-app.authaz.io/api/v1/applications/{appId}/roles \ -H "X-API-Key: $AUTHAZ_API_KEY" \ -H "Content-Type: application/json" \ -d '{ "name": "Owner", "policyIds": ["pol_owner"] }'# Create a tenant-scoped rolecurl -X POST https://your-app.authaz.io/api/v1/applications/{appId}/tenants/{tenantId}/roles \ -H "X-API-Key: $AUTHAZ_API_KEY" \ -H "Content-Type: application/json" \ -d '{ "name": "Tenant Admin", "policyIds": ["pol_tenant_admin"] }'
The dashboard surfaces tenant-scoped roles in the role list under each tenant's section, with the same role name allowed across tenants (so every tenant can have its own Admin if you want).
There's no built-in "Admin inherits from Member" mechanism — instead, share policies across roles:
pol_invoices_writer ← attached to Member, Admin, Owner
pol_customer_admin ← attached to Admin, Owner
pol_billing_owner ← attached to Owner
Removing or editing pol_invoices_writer changes Member, Admin, and Owner in lockstep. This is faster and harder to misconfigure than chained inheritance.
The signup and invitations flows let you specify a defaultRoles list — every newly-created user is auto-assigned those roles. Most apps want ["role_user"] or similar as a baseline.
