Skip to main content

Roles Hierarchy and Permissions

Details about the options for different roles within spektr.

Yuri Beckers avatar
Written by Yuri Beckers
Updated over 4 months ago

Within spektr, the system has three roles with a hierarchical permission structure:

1. Viewer (Read-Only Access)

Viewers have the most limited permissions and can only:

View/Read Access:

  • View / read datasets, processes, alerts, risk matrices, nodes, users, API keys, user settings, comments, fields, and AI agents

  • Access all basic information across the platform

Do not have permission to:

  • Create, update, or delete any resources

  • Execute or launch processes

  • Manage users or API keys

  • Access admin-only features

2. Editor (Content Management)

Editors have all viewer permissions plus the ability to:

Create & Modify Content:

  • Create, update, and delete datasets, processes, alerts, risk matrices, nodes, fields, and AI agents

  • Execute and launch processes

  • Create and manage comments

  • View and create risk matrix templates

  • Set user settings and branding colors

Do not have permission to:

  • Manage users (invite, update, delete)

  • Manage API keys

  • Access custom domain settings

  • Perform admin-level operations

3. Admin (Full System Access)

Admins have unlimited access to everything in the system:

User Management:

  • View, update, delete, and invite users

  • Manage user groups (when feature flag is enabled)

System Administration:

  • Create and delete API keys

  • Manage custom domain settings

  • Access all admin-only features

Inheritance:

  • Admins automatically have all editor and viewer permissions

  • The system explicitly grants admins access to everything

Key Implementation Details

Permission Inheritance: The system uses a hierarchical approach where:

  1. Editors inherit all viewer permissions

  2. Admins inherit all editor and viewer permissions

  3. UI Access Control: The interface dynamically shows/hides features based on role permissions. For example:

  4. Only admins can see the "Developer" tab (API keys) in settings

  5. Only admins can see the "Custom Domain" tab

  6. Editors can access branding and workspace settings

  7. Role Guard: The backend uses a RoleGuard that enforces these permissions at the API level, ensuring users can only access endpoints they're authorized for.

This role-based access control (RBAC) system provides a clear separation of responsibilities, with viewers for read-only access, editors for content management, and admins for full system administration.

Did this answer your question?