Roles are the core of an attribute-based access control (ABAC) schema. Role is a native collection of user-defined roles that extends the built-in roles.

Roles work together with one of the Token, Key, or AccessProvider native collections. The following table explains how Fauna evaluates role privileges and membership depending on whether the caller is attempting to access resources by using a Token, Key, or AccessProvider:

Resource Role participation


Internal authentication by Fauna. Fauna evaluates stored Credential to authenticate a caller. Role membership and privileges are evaluated to grant authorization.


Internal authorization without the use of identity authentication. Presentation of a Fauna key secret enables the caller. Only the role privileges are evaluated to grant authorization.


External authentication by an identity provider (IdP). A third-party caller supplies the JWT secret from the provider. The JWT is matched to an AccessProvider document to authenticate the caller. The predicates on the provider document and the role privileges together are evaluated to grant authorization.

Keys are associated with a built-in role or a used-defined role.

Built-in roles

Admin role

Keys with the admin role are used for managing their associated database, including the database access providers, child databases, documents, functions, indexes, keys, tokens, and user-defined roles.

Because a key with the admin role can be used in its associated database to create and destroy child databases and to change any document content or access controls, they should be well protected.

Admin keys for Fauna accounts are managed in the Fauna Dashboard.

Server role

Keys with the server role are used for managing their associated database, including database documents, functions, and indexes.

User-defined roles and child databases, including child database documents, can’t be directly managed with a server role, unlike with the admin role. Otherwise, the server role is equivalent in all other respects to the admin role.

The server role has create, write, and call permissions on User-defined functions (UDFs). The server role can assign any role to a UDF, including the admin role. When a UDF has the admin role, calling that function causes it to be executed with all available privileges.

Server read-only role

Keys with the server-readonly role allow read-only access to all data in the database that they are assigned to. Because they provide unrestricted read access, they should be well protected and used only in trusted or server-side environments.

User-defined roles

Keys can specify one or more user-defined roles. The privileges for such a key are given by the associated roles.

Keys with user-defined roles are equivalent to tokens in that there are no privileges provided by default, but there is no associated identity.

Is this article helpful? 

Tell Fauna how the article can be improved:
Visit Fauna's forums or email

Thank you for your feedback!