Users and Permissions Plugin: How to assign multiple roles to single end-user

How to assign multiple roles to a single user for the end-users?
As of now, we can assign multiple roles to a single user for the admin user management. However, for the end-users, in Strapi V4, there isn’t a way to assign multiple roles to a single user. Can this be configured somewhere?

You can find the schema.json of ‘users-permissions’ plugin at path src/extensions/users-permissions/content-types/user. the you can modify the user-role relation to ‘manyToMany’

"role": {
      "type": "relation",
      "relation": "manyToMany",
      "target": "plugin::users-permissions.role",
      "inversedBy": "users",
      "configurable": false
    },

and save, waiting server restart. then you can add a user to many role.
Though you can modify it, I think it is hard to manage the relationship between manyToMany, it will be a mussy maybe.
Add a new field to manage the permission maybe better I think.

1 Like

I’m interested in this topic as well.

How would the above “manyToMany” customization handle conflicting permissions? For example, given a Role B permission is allowed, and Role A permission is not. Which takes precedence?

Let’s assume there’s some kind of priority. So if you consider an example priority like this: “Role C, Role A, Role B”… then in the same scenario above Role A’s permission overrides Role B’s.

In addition to all of this, I’m interested in integrating limits to access control as well. Count limit, rate limit, etc. So, for example “Only allow if they have less than X posts” or “Only allow if they under the threshold of 100 in the past hour”. As well the ability to add exceptions, like “For user X, allow unlimited posts”. These things are outside of the scope here, but… they must wrap the API. Presumably this would be a custom plugin from-scratch.

I can’t find that schema file. Can you explain where to find that file ?

I modified the user-role relation to ‘manyToMany’. But now when I have a user with multiple roles and I want to delete one the Strapi BackOffice throws an error:

{
  "data": null,
  "error": {
    "status": 400,
    "name": "ValidationError",
    "message": "Cannot remove role",
    "details": {
      "errors": [
        {
          "path": [
            "role",
            "disconnect"
          ],
          "message": "Cannot remove role",
          "name": "ValidationError"
        }
      ]
    }
  }
}

I use strapi version 4.8. Is there any solution? On newer versions it has been fixed?

Thanks

In a Strapi 4.20.5 quickstart project, the file is in my-project/node_modules/@strapi/plugin-users-permissions/server/content-types/permission/index.js

Since it comes as a dependency, it seems strange to edit the relationship there, changing this is a hack. So I guess the conclusion is, in Strapi there is no concept of multiple roles for end users.

1 Like

It’s a bit sad that we can’t assign more than one role to a user.