User Attributes for parameterized roles
Published: May 8, 2026
Enterprise organizations managing large teams on Sanity can now use User Attributes to create parameterized roles that adapt to each user automatically. Instead of creating a separate custom role for every combination of location, department, or language, you define a small number of roles that resolve dynamically based on who the user is.
How it works
User Attributes are key-value pairs attached to a user's profile within an organization (ex: location="london", department="editorial", language="french"). Attributes come from two sources:
- SAML (automatic): Captured from identity provider assertions during SSO login. Refreshed on every authentication.
- Sanity (manual): Set by administrators through Manage or the Management API. Used to supplement IdP data or override specific values.
When both sources provide the same attribute, the Sanity value takes precedence. Removing the override reveals the SAML value again.
Parameterized roles with GROQ filters
Attributes can be referenced in content resource filters using the user::attributes() function. Instead of creating a separate role for each branch office, define a single role with a filter like:
_type == "post" && branch == user::attributes().branch
Reducing role complexity at scale
Organizations managing dozens of locations, markets, or business units have been forced to create a separate custom role for every permutation of access. User Attributes reduces this complexity. Your roles become more powerful because they adapt to each user's context rather than requiring a static definition for every combination.
Attributes also support temporary reassignments. An administrator can override a user's location attribute in Sanity without modifying the identity provider. When the override is removed, the SAML value takes effect again on the next login.
Important details
- Fail-closed security: If a user is missing an attribute that a content resource filter references, the filter denies access by default.
- Supported types:
string,integer,number,boolean, and array variants of each (except boolean). - Enterprise plans: User Attributes is available on certain Enterprise plans.