Payload Role-based access control cover

Configuring user permissions in Payload with the Simple RBAC plugin

We've created the simple Role-Based Access Control (RBAC) plugin to help new setups go a lot smoother for managing access control in Payload.

The plugin aims to remain simple and it won't provide deep grained control or complex and overlapping roles, skip to the end of the article where we explain how it works.

Quick setup

We'll show you how quickly you can add managed permissions to your Payload app.

Install the plugin

1yarn add @nouance/payload-simple-rbac

Add the configuration to payload using the provided starter roles

1import { buildConfig } from "payload/config";
2import payloadSimpleRBAC, { starterRoles } from "@nouance/payload-simple-rbac";
4const config = buildConfig({
5 // ... rest of my config
6 plugins: [
7 payloadSimpleRBAC({
8 roles: starterRoles,
9 users: [Users.slug],
10 defaultRole: "editor", // set a default
11 collections: [
12 {
13 slug: Posts.slug,
14 permissions: {
15 read: "publishedOnly",
16 update: "editor",
17 create: "editor",
18 delete: "manager",
19 },
20 },
21 ],
22 }),
23 ],
26export default config;

And that's it! You now have RBAC implemented. You will now find a role field present on the users you've added to the configuration, make sure you assign them the desired roles.

We'll explain how it works and how to extend the configuration in order for you to take full advantage of it.

How it works

Role priority

The array of roles sets the priority of them as well and use their index to determine which role can override certain permissions.

Permission overrides

For each permission, we override the target collection's configuration just for that permission. This means that if you don't configure any one particular permission such as read or update it will default to your initial configuration or Payload's.

You can find out more about how Payload's access hooks work here.

Preconfigured permissions

public and publishedOnly are preconfigured permissions that we can use to provide additional common functionality such as allowing the access fully public or limiting it to published content only.


We've exposed some configuration to help you integrate this plugin meaningfully for your needs.

  • roles is fully configurable with your own custom array of roles
  • defaultRole allows you to set what the value should be initially

Stable release

We're still testing this plugin and trying to manage the sweet spot of not over-engineering as well as making it useful for our clients and the rest of the community so we appreciate all the feedback we can get over at our GitHub page.

There are still developments in the works of things we want to release and polish and if you want to stay up to date with our journey follow us on Twitter.