User Roles (Admin)
The User Roles section lets admins manage the third RBAC layer in Lumio — the set of user-scope permissions that controls what authenticated users can do across community features like the Ideas Hub. This is distinct from the account-scope roles (which control dashboard access within a streaming account) and from admin roles (which control access to the admin panel itself).
Where to Find It
Admin sidebar → User Roles. The list lives at /user-roles; individual role detail pages at /user-roles/\{id\}. Per-user role assignments and permission overrides are managed from the user detail page at /users/\{id\}. Per-account permission overrides are managed from the account detail page at /accounts/\{id\}.
Role List
The list at /user-roles shows all user roles.
Columns
| Column | Description |
|---|---|
| Name | Role display name |
| Slug | Machine-readable identifier |
| Permissions | Count of permissions assigned to the role |
| Type | System (cannot be deleted) or Custom |
| Default | Whether this is the fallback role for unassigned users |
System roles (is_system = true) are shown with a lock icon. The default role is indicated with a star badge. There are always exactly three system roles: member (default), restricted, and moderator.
Role Editor
Viewing a Role
Click a row to open the detail page. It shows:
- Role name, description, and slug.
- A badge indicating whether the role is system, custom, or default.
- The full list of permissions assigned, grouped by category.
Creating a Custom Role
Click New Role in the toolbar (requires user-roles:edit). A creation form opens with the following fields:
| Field | Required | Notes |
|---|---|---|
| Name | Yes | Display name; slug is auto-derived |
| Description | No | Shown in the role list and picker |
| Permissions | Yes | Multi-select grouped by category (see Permission Categories) |
Save to create the role. It becomes immediately available in the user role assignment picker.
Editing a Custom Role
Click the Edit button on a custom role's detail page. All fields — name, description, permissions — are editable.
Editing a system role is blocked. The edit button is hidden and the form fields are read-only for system roles.
Deleting a Custom Role
Click the Delete button on a custom role's detail page. A confirmation dialog is shown. System roles cannot be deleted; the button is absent on their detail pages.
When a role is deleted, users assigned to it automatically fall back to the default role (member) at their next request (the cache entry expires within 5 minutes or is invalidated immediately on deletion).
Permission Categories
Permissions are grouped in the role editor by category:
| Category | Permissions |
|---|---|
| Ideas | ideas:create, ideas:vote, ideas:comment, ideas:edit_own, ideas:delete_own, ideas:comment_edit_own, ideas:comment_delete_own |
| Ideas Moderation | ideas:moderate_comment, ideas:moderate_edit, ideas:moderate_delete, ideas:moderate_status |
| Profile | profile:read, profile:edit |
Per-User Role Assignments
From the user detail page at /users/\{id\}, the User Role tab shows:
- The currently assigned role (or "Default (Member)" if unassigned).
- A Change Role button that opens a dropdown of all user roles (requires
user-roles:edit). - A Remove Assignment button to revert the user to the default role.
Changing a role takes effect at the next API request for that user (cache is invalidated on save, new TTL is 5 minutes).
Per-User Permission Overrides
From the user detail page, the Permission Overrides tab shows all explicit overrides for that user.
Each override row shows:
- The permission string (e.g.,
ideas:create). - Whether it is Granted (green check) or Denied (red cross).
- A Remove button to delete the override.
To add an override, click Add Override and:
- Pick a permission from the dropdown (all user-scope permissions are listed).
- Choose Grant or Deny.
- Save.
Overrides layer on top of the role: granting a permission gives it to the user even if their role does not include it; denying removes it even if the role does include it. Per-user overrides are applied before account-level overrides in the resolution chain.
Requires accounts:manage_permissions.
Per-Account Permission Overrides
From the account detail page at /accounts/\{id\}, the Permission Overrides tab shows the user-scope overrides applied to all users who have that account as their active account when making requests.
The interface is identical to the per-user override UI: each row shows the permission, granted/denied state, and a remove button. Add new overrides via Add Override.
Account overrides are the last layer in the permission resolution chain — they can grant permissions that the user's role and individual overrides do not provide, or deny permissions that they would otherwise have.
Requires accounts:manage_permissions.
Effective Permissions View
From either the per-user role tab or the permission overrides tab on the user detail page, click View Effective Permissions to open a modal that shows the fully-resolved permission set for that user — role permissions merged with user overrides and account overrides — without writing to cache. This is useful for debugging unexpected access behavior.
Permissions
All actions in this section require admin:access (the dashboard-entry gate). In addition:
| Action | Permission |
|---|---|
| View role list, role detail pages, user/account override lists | user-roles:read |
| Create, edit, delete custom roles; assign/remove user role assignments | user-roles:edit |
| Set or remove per-user permission overrides | accounts:manage_permissions |
| Set or remove per-account permission overrides | accounts:manage_permissions |
System admins implicitly have all permissions.
API
| UI Action | GraphQL | REST |
|---|---|---|
| List user roles | adminUserRoles | GET /v1/admin/user-roles |
| Get role detail | adminUserRole(id: UUID!) | GET /v1/admin/user-roles/{id} |
| Create role | adminCreateUserRole(input: ...) | POST /v1/admin/user-roles |
| Update role | adminUpdateUserRole(input: ...) | PATCH /v1/admin/user-roles/{id} |
| Delete role | adminDeleteUserRole(id: UUID!) | DELETE /v1/admin/user-roles/{id} |
| Assign user role | adminAssignUserRole(userId, roleId) | PUT /v1/admin/users/{id}/user-role |
| Remove user role | adminRemoveUserRole(userId) | DELETE /v1/admin/users/{id}/user-role |
| List user overrides | adminUserPermissionOverrides(userId) | GET /v1/admin/users/{id}/permission-overrides |
| Set user override | adminSetUserPermissionOverride(...) | PUT /v1/admin/users/{id}/permission-overrides/{permission} |
| Remove user override | adminRemoveUserPermissionOverride(...) | DELETE /v1/admin/users/{id}/permission-overrides/{permission} |
| List account overrides | adminAccountPermissionOverrides(accountId) | GET /v1/admin/accounts/{id}/permission-overrides |
| Set account override | adminSetAccountPermissionOverride(...) | PUT /v1/admin/accounts/{id}/permission-overrides/{permission} |
| Remove account override | adminRemoveAccountPermissionOverride(...) | DELETE /v1/admin/accounts/{id}/permission-overrides/{permission} |
| Resolved permissions | adminUserResolvedPermissions(userId) | GET /v1/admin/users/{id}/resolved-permissions |
Related
- User Roles developer guide — tables, resolution algorithm, AuthContext changes, cache
- RBAC & Permissions developer guide — account-scope and admin-scope RBAC layers
- Users — managing users and their account memberships
- Accounts — managing streaming accounts