Hey I'm new to the slack o/ I have a question regarding the identity schemas. So I can see the docs say that sensitive information should not be stored in that schema since it's user modifiable. However I'm getting mixed messages as to if I can use it to define system admins verses users or subscribers Can I make a schema for all the different types of users and be assured the user cant just change their schema to admin for example or can the user edit what schema they use also?

Hey @User Schema's aren't permissions. You would use different schemas if your user model has different data. e.g. employee vs customer. Even though the schema is defined as employee, your system will still need to validate if the person has employee permissions attached to their user id. Anything defined in the schema will be visible to the end-user, so storing sensitive information that only the backend should know of isn't an option. As said in the documentation:

Please keep in mind that the Identity Schema is not a place to store sensitive information that should not be visible to the end-user! Users can see traits and other data - except credentials - using the 

sessions/whoami

 endpoint. The Identity Schema is not the right place to store data that should be obfuscated from the user!

https://www.ory.sh/kratos/docs/concepts/identity-schema#identity-traits-and-json-schemas Also it is currently not possible for someone to "change" or choose a schema. Only the admin endpoint can define which schema to use when creating an identity. https://github.com/ory/kratos/issues/765

Thanks so much for that answer 🙂 I knew the schema was not the place for sensitive data, was just unsure if the intended use for many schemas was to define what use is what in a system. Again thanks for the response 🙂