Roles

Last modified on May 30, 2025

Roles, when assigned to users, provide users with access to resources. A role is a collection of permissions that are granted to the users that are assigned to that role.

To assign users to roles in the Admin UI, you can simply go to the user in question, open the Roles tab, search your roles list, and add them. In the CLI, you can use the sdm admin users command.

In order to add permissions to a role, use access rules. Access rules provide two methods by which to assign access permissions to a role. Static access rules are manually assigned permissions. Dynamic access rules provide permissions for resources based on tags and resource types chosen.

A list (in table format) of existing roles is displayed on the Roles page in the Admin UI. You can sort the table of roles in your organization by clicking on column headers. Clicking a column header sorts the table by the values in that column, in ascending order. Clicking again on the same header reverses the sorting direction.

Suspended

Users in the Suspended role cannot log in or access any datasources or servers.

Access Rules

In order to add permissions to a role, you use access rules. Access rules provide two methods by which to assign access permissions to a role. Static access rules are manually assigned permissions. Dynamic access rules provide permissions for resources based on tags and resource types chosen.

Access rule editor

Access rules are the building blocks of roles. You can add, edit, or delete access rules within a role. Navigate to the Principals > Roles page, and then look at a role (or create a new one). To edit an existing access rule, click edit. To delete an access rule, click edit and once the Edit view is open, click Delete Access Rule.

Each role can comprise up to 10 access rules.

The access rule editor can create both static access rules and dynamic access rules.

Static access rules

Static access rules are the method by which you can assign access to specific resource(s) to a role, one at a time from a list of checkboxes. You can select up to 2000 resources per rule.

Dynamic access rules

Dynamic access rules provide the tool set to dynamically assign resource access to members of the role. Each dynamic access rule is made up of two properties:

Resource type: You can choose a specific type of resource, such as a MySQL databases or EKS clusters, or you can choose All resource types.
Resource tags: Tags are key-value pairs assigned to resources. An access rule may include up to 20 tags.

A dynamic access rule will grant access to all resources that meet all of the criteria specified in its properties. Dynamic access rules are an “and” relationship internally, not “or.” For example, specifying one database type and two tags will grant access only to resources that are of that database type and have both of those tags.

The access rule editor indicates if there are no resources that currently match your criteria. If there are matching resources, it indicates how many.

You can find resources and information about the following StrongDM topics in this section:

Import Roles

Roles

Suspended #

Access Rules #

Access rule editor #

Static access rules #

Dynamic access rules #

Suspended

Access Rules

Access rule editor

Static access rules

Dynamic access rules