Roles define what users and API credentials can do within your Cubewire organization. The role-based access control (RBAC) system enables fine-grained permission management for security and operational efficiency.
A role is a collection of permissions that determines:
Cubewire supports two types of roles:
| Type | Description | Editable | Deletable |
|---|---|---|---|
| System | Pre-defined roles with standard permission sets | No | No |
| Custom | Organization-defined roles for specific needs | Yes | Yes |
System roles are built-in and cannot be modified. They provide common access patterns for typical organizational structures.
| Property | Value |
|---|---|
| Permissions | 30 |
| Type | System |
| Purpose | Organizational governance and user management |
Capabilities:
Limitations:
Best For: IT administrators, compliance officers, organization managers
| Property | Value |
|---|---|
| Permissions | 13 |
| Type | System |
| Purpose | Standard operational access for day-to-day tasks |
Capabilities:
Limitations:
Best For: Operations staff, finance team members, day-to-day operators
| Property | Value |
|---|---|
| Permissions | 9 |
| Type | System |
| Purpose | Read-only access to view information without making changes |
Capabilities:
Limitations:
Best For: Auditors, external reviewers, reporting users, read-only integrations
Custom roles allow you to define specific permission sets tailored to your organization's needs.
| Property | Value |
|---|---|
| Permissions | 1 |
| Type | Custom |
| Purpose | Minimal permissions to initiate transactions |
Use Case: Automated systems that only need to submit transactions, with all approvals handled by other roles.
| Property | Value |
|---|---|
| Permissions | 23 |
| Type | Custom |
| Purpose | Full operational access to vaults, transactions, and policies |
Capabilities:
Use Case: Operations team leads who need comprehensive access without administrative privileges.
| Property | Value |
|---|---|
| Permissions | 51 |
| Type | Custom |
| Purpose | Complete access to all platform capabilities |
Capabilities:
Use Case: Technical leads or owners who need unrestricted access.
Permissions are grouped into functional categories:
| Category | Description | Examples |
|---|---|---|
| Vaults | Manage wallet infrastructure | Create, view, update, archive vaults |
| Transactions | Execute blockchain operations | Send, view, cancel transactions |
| Policies | Control transaction rules | Create, update, delete policies |
| Named Lists | Manage address collections | Create, update, manage list items |
| Users | Manage team access | Invite, update, remove users |
| Roles | Manage permission sets | Create, update custom roles |
| Audit Logs | Access activity records | View logs, generate reports |
| Settings | Configure organization | Update settings, manage integrations |
| API Keys | Manage programmatic access | Create, revoke API credentials |
Users can be assigned one or more roles. The effective permissions are the union of all assigned role permissions:
API credentials are assigned roles that determine their capabilities.
Example:
| Property | Value |
|---|---|
| Name | Production API Key |
| Client ID | cw_live_abc123def456 |
| Assigned Role | Initiator (Custom) |
| Capabilities | Transaction initiation only |
The credential inherits all permissions from its assigned role(s), just like user accounts.
Recommendation: Always start with the lowest privilege role that meets the user's needs, and only escalate when necessary.
| Use Case | Recommended Role | Reason |
|---|---|---|
| Platform administration | Organization Admin | User/role management without wallet access |
| Daily operations | Member | Standard operational capabilities |
| Audit and compliance | Viewer | Read-only for security |
| Automated transaction submission | Initiator (Custom) | Minimal permissions for API |
| Operations team lead | Operator (Custom) | Full operational access |
| Technical owner | Super Admin (Custom) | Unrestricted access |
All role and permission management happens under Settings in the sidebar. The Settings page has two relevant tabs: Users and Roles.
Note: System roles (Organization Admin, Member, Viewer) cannot be edited or deleted.
| Practice | Description |
|---|---|
| Start with system roles | Use built-in roles before creating custom ones |
| Minimize custom roles | Create only when system roles don't fit |
| Document role purposes | Clear descriptions for each custom role |
| Regular audits | Review role assignments periodically |
| Practice | Description |
|---|---|
| Least privilege | Assign minimum permissions needed |
| Separate duties | Different roles for different functions |
| No shared credentials | Each user/API has own credentials |
| Review high-privilege roles | Extra scrutiny for Super Admin assignments |
| Practice | Description |
|---|---|
| Role-specific API keys | Create dedicated credentials per integration |
| Minimal API permissions | API keys should have fewer permissions than users |
| Rotate credentials | Regular credential rotation schedule |
| IP whitelisting | Restrict API access by IP address |
For complete API documentation including endpoints for managing roles and permissions:
GET /api/v1/rolesPOST /api/v1/rolesGET /api/v1/roles/permissionsGET /api/v1/roles/{id}PATCH /api/v1/roles/{id}DELETE /api/v1/roles/{id}Roles define what users and API credentials can do within your Cubewire organization. The role-based access control (RBAC) system enables fine-grained permission management for security and operational efficiency.
A role is a collection of permissions that determines:
Cubewire supports two types of roles:
| Type | Description | Editable | Deletable |
|---|---|---|---|
| System | Pre-defined roles with standard permission sets | No | No |
| Custom | Organization-defined roles for specific needs | Yes | Yes |
System roles are built-in and cannot be modified. They provide common access patterns for typical organizational structures.
| Property | Value |
|---|---|
| Permissions | 30 |
| Type | System |
| Purpose | Organizational governance and user management |
Capabilities:
Limitations:
Best For: IT administrators, compliance officers, organization managers
| Property | Value |
|---|---|
| Permissions | 13 |
| Type | System |
| Purpose | Standard operational access for day-to-day tasks |
Capabilities:
Limitations:
Best For: Operations staff, finance team members, day-to-day operators
| Property | Value |
|---|---|
| Permissions | 9 |
| Type | System |
| Purpose | Read-only access to view information without making changes |
Capabilities:
Limitations:
Best For: Auditors, external reviewers, reporting users, read-only integrations
Custom roles allow you to define specific permission sets tailored to your organization's needs.
| Property | Value |
|---|---|
| Permissions | 1 |
| Type | Custom |
| Purpose | Minimal permissions to initiate transactions |
Use Case: Automated systems that only need to submit transactions, with all approvals handled by other roles.
| Property | Value |
|---|---|
| Permissions | 23 |
| Type | Custom |
| Purpose | Full operational access to vaults, transactions, and policies |
Capabilities:
Use Case: Operations team leads who need comprehensive access without administrative privileges.
| Property | Value |
|---|---|
| Permissions | 51 |
| Type | Custom |
| Purpose | Complete access to all platform capabilities |
Capabilities:
Use Case: Technical leads or owners who need unrestricted access.
Permissions are grouped into functional categories:
| Category | Description | Examples |
|---|---|---|
| Vaults | Manage wallet infrastructure | Create, view, update, archive vaults |
| Transactions | Execute blockchain operations | Send, view, cancel transactions |
| Policies | Control transaction rules | Create, update, delete policies |
| Named Lists | Manage address collections | Create, update, manage list items |
| Users | Manage team access | Invite, update, remove users |
| Roles | Manage permission sets | Create, update custom roles |
| Audit Logs | Access activity records | View logs, generate reports |
| Settings | Configure organization | Update settings, manage integrations |
| API Keys | Manage programmatic access | Create, revoke API credentials |
Users can be assigned one or more roles. The effective permissions are the union of all assigned role permissions:
API credentials are assigned roles that determine their capabilities.
Example:
| Property | Value |
|---|---|
| Name | Production API Key |
| Client ID | cw_live_abc123def456 |
| Assigned Role | Initiator (Custom) |
| Capabilities | Transaction initiation only |
The credential inherits all permissions from its assigned role(s), just like user accounts.
Recommendation: Always start with the lowest privilege role that meets the user's needs, and only escalate when necessary.
| Use Case | Recommended Role | Reason |
|---|---|---|
| Platform administration | Organization Admin | User/role management without wallet access |
| Daily operations | Member | Standard operational capabilities |
| Audit and compliance | Viewer | Read-only for security |
| Automated transaction submission | Initiator (Custom) | Minimal permissions for API |
| Operations team lead | Operator (Custom) | Full operational access |
| Technical owner | Super Admin (Custom) | Unrestricted access |
All role and permission management happens under Settings in the sidebar. The Settings page has two relevant tabs: Users and Roles.
Note: System roles (Organization Admin, Member, Viewer) cannot be edited or deleted.
| Practice | Description |
|---|---|
| Start with system roles | Use built-in roles before creating custom ones |
| Minimize custom roles | Create only when system roles don't fit |
| Document role purposes | Clear descriptions for each custom role |
| Regular audits | Review role assignments periodically |
| Practice | Description |
|---|---|
| Least privilege | Assign minimum permissions needed |
| Separate duties | Different roles for different functions |
| No shared credentials | Each user/API has own credentials |
| Review high-privilege roles | Extra scrutiny for Super Admin assignments |
| Practice | Description |
|---|---|
| Role-specific API keys | Create dedicated credentials per integration |
| Minimal API permissions | API keys should have fewer permissions than users |
| Rotate credentials | Regular credential rotation schedule |
| IP whitelisting | Restrict API access by IP address |
For complete API documentation including endpoints for managing roles and permissions:
GET /api/v1/rolesPOST /api/v1/rolesGET /api/v1/roles/permissionsGET /api/v1/roles/{id}PATCH /api/v1/roles/{id}DELETE /api/v1/roles/{id}