Skip to main content

Roles & Permissions

The admin system uses a role-based access control (RBAC) system. Each user is assigned a role that determines their permissions within the system.

Available Roles

The system has the following administrative roles:
RoleDescription
OwnerFull system access with all permissions
ManagerSystem management with most permissions
DeveloperTechnical access for development and integration
SupportCustomer support with limited access
MarketingContent management and marketing tools

Permission Structure

Permissions are organized by resource and action. Each permission follows the format: resource:action For example:
  • users:list - View list of users
  • users:create - Create new users
  • users:update - Update existing users
  • users:delete - Delete users

Resources

The following resources are available:
  • dashboard - Dashboard stats and analytics
  • users - User management
  • sites - Site management
  • roles - Role management

Actions

Each resource can have the following actions:
  • list - View list of items
  • create - Create new items
  • view - View item details
  • update - Update existing items
  • delete - Delete items

Role Permissions

Here’s a detailed breakdown of permissions by role:

Owner

Has all permissions including: 
[
  "dashboard:stats",
  "users:list",
  "users:create",
  "users:view",
  "users:update",
  "users:delete",
  "sites:list",
  "sites:create",
  "sites:view",
  "sites:update",
  "sites:delete",
  "roles:list",
  "roles:create",
  "roles:view",
  "roles:update",
  "roles:delete"
]

Manager

Has most permissions excluding sensitive operations: 
[
  "dashboard:stats",
  "users:list",
  "users:create",
  "users:view",
  "users:update",
  "sites:list",
  "sites:view",
  "sites:update",
  "roles:list",
  "roles:view"
]

Developer

Has technical access permissions: 
[
  "dashboard:stats",
  "sites:list",
  "sites:view",
  "sites:update"
]

Support

Has customer support permissions: 
[
  "dashboard:stats",
  "users:list",
  "users:view"
]

Marketing

Has content management permissions: 
[
  "dashboard:stats",
  "posts:list",
  "posts:create",
  "posts:view",
  "posts:update"
]

Permission Checking

The system automatically checks permissions for each API request. If a user doesn’t have the required permission, they’ll receive a 403 Forbidden response: 
{
  "success": false,
  "message": "You do not have permission to perform this action."
}
You can check the current user’s permissions through the authenticated user endpoint (/admin/auth/me) which includes the permissions array in the response.