Skip to main content


Authorization specifies which actions can be performed by users, SSO providers, and API tokens.

Styra DAS makes the common case easy and the uncommon case possible. The common case assigns users, SSO providers, or tokens to one or more roles. A role is a pre-built collection of permissions. For more granularity, you can assign users roles on a specific resource (for example, a single Styra DAS System). For the uncommon case, you can write Rego policies to define custom roles or custom rules that make whatever authorization decision you want.

For example, you can write a policy for the following users:

  • Ruchita should have full control of the Workspace level.

  • dev_team3 should have full control of the System level.

  • Alice should be given read-only control for the Workspace level to see the list of violations that require a fix.

To implement that policy with the Styra DAS, you must assign the following roles:

  • Assign Ruchita to the WorkspaceAdministrator role.

  • Assign dev_team3 to the SystemOwner role.

  • Write a custom role called WorkspaceViewer and assign Alice to that role on Workspace level. You can also write a custom Rego rule that allows Alice to access APIs when running in the Workspace level.

When you assign roles, you can assign them to each of the different forms of authentication that the DAS supports.

  • User IDs: These are in the form of email addresses.

  • SSO provider: When a user authenticates through SSO, the SSO provider can be assigned roles.

  • API tokens: Each API token can be assigned roles.

When roles are assigned, a user is granted the union of the permissions of all the roles the user is assigned. For example, if a user is granted both WorkspaceViewer and WorkspaceAdministrator at the Workspace level, then the user can view and administer the Workspace.