Roles and Permissions
Create admin roles, assign permissions, and control access across the Hexabot admin panel.
Roles group permissions for admin users. Each permission grants an action such as create, read, update, or delete over a model relation.
Use roles to control which product areas appear in the sidebar and which actions are available in lists and dialogs.
Open role management from Administration > Roles or go directly to /roles. The Roles menu item is hidden when SSO is enabled.
How access control works
Hexabot uses role-based access control for admin users:
A user has one or more roles.
A role has zero or more permissions.
Each permission combines a model, an action, and a relation.
The frontend loads the signed-in user's permissions from /user/permissions and builds a model-to-actions map. That map controls visible sidebar entries, page buttons, table actions, and some inline controls.
The four permission actions are:
create
Allows creating records for the model.
read
Allows listing or viewing records for the model.
update
Allows editing records for the model.
delete
Allows deleting records for the model.
The relation selector in the current permissions dialog creates role-scoped permissions. Leave the relation set to Role unless your deployment has custom backend logic that supports another relation.
Default roles
Fresh installations seed three roles:
admin
Full access to every seeded model.
manager
Broad operational access, excluding administration models such as AuditLog, Role, User, and Permission.
public
Reserved for public endpoints. Do not use it as an admin access profile unless you intentionally add permissions to it.
You can rename, extend, or replace roles to match your organization. Before changing default roles, make sure at least one active account keeps the ability to manage users, roles, and permissions.
Roles list
The Roles page shows:
ID
Name
Creation date
Last update date
Operations
Use the search box to filter roles by name. The search value is synced to the URL.
Add or edit a role
Click Add to create a role. A role only needs a unique name.
Use Edit in the Operations column to rename an existing role. Renaming a role does not remove its permissions or user assignments.
Required permissions:
Role: read
Shows the Roles page and loads the role list.
Role: create
Shows the Add button and allows creating roles.
Role: update
Shows the Edit action and allows renaming roles.
Delete a role
Use Delete in the Operations column to remove a role. Hexabot asks for confirmation before sending the delete request.
A role cannot be deleted when:
It is assigned to the current account.
It is assigned to any other user.
Your account does not have
deletepermission onRole.
Remove the role from all users before deleting it. Deleting a role also removes the permissions attached to that role.
Manage role permissions
Use Permissions in the Operations column to open the permission manager for a role.
The dialog is organized by model. Expand a model to see the permissions currently attached to the selected role. Each row shows:
Action
Relation
A delete action for removing that permission
To add a permission:
Expand the target model.
Select an action:
create,read,update, ordelete.Keep the relation set to Role.
Click the add icon.
To remove a permission, click the delete icon on that permission row.
Loading the model list requires Model: read. Saving permission changes requires Permission: create for additions and Permission: delete for removals.
The backend enforces uniqueness for the model, action, role, and relation combination. If you add the same permission twice, the UI shows a duplicate-permission error.
Changing permissions takes effect for users with that role the next time the frontend refreshes its permission data. Ask affected users to refresh the admin panel if menu items or buttons do not update immediately.
Last updated
Was this helpful?