Roles & Permissions
Roles define what users and API credentials can do within your Cubewire organization. The role-based access control (RBAC) system enables fine-grained permission management for security and operational efficiency.
What is a Role?
A role is a collection of permissions that determines:
- Access Level — What resources can be viewed or modified
- Operational Scope — Which actions can be performed
- Security Boundaries — What is explicitly denied
Role Types
Cubewire supports two types of roles:
| Type | Description | Editable | Deletable |
|---|---|---|---|
| System | Pre-defined roles with standard permission sets | No | No |
| Custom | Organization-defined roles for specific needs | Yes | Yes |
System Roles
System roles are built-in and cannot be modified. They provide common access patterns for typical organizational structures.
Organization Admin
| Property | Value |
|---|---|
| Permissions | 30 |
| Type | System |
| Purpose | Organizational governance and user management |
Capabilities:
- Manage users and roles
- Configure organization settings
- View audit logs and compliance reports
- Manage integrations and linked organizations
Limitations:
- Cannot perform wallet operations
- Cannot initiate transactions
- Cannot modify vault configurations
Best For: IT administrators, compliance officers, organization managers
Member
| Property | Value |
|---|---|
| Permissions | 13 |
| Type | System |
| Purpose | Standard operational access for day-to-day tasks |
Capabilities:
- View vaults and balances
- Initiate transactions (subject to policies)
- View transaction history
- Access basic reporting
Limitations:
- Cannot manage users or roles
- Cannot modify organization settings
- Cannot change policies
Best For: Operations staff, finance team members, day-to-day operators
Viewer
| Property | Value |
|---|---|
| Permissions | 9 |
| Type | System |
| Purpose | Read-only access to view information without making changes |
Capabilities:
- View vaults and addresses
- View transaction history
- View policies and named lists
- Access read-only reports
Limitations:
- Cannot initiate any transactions
- Cannot modify any resources
- Cannot create or update anything
Best For: Auditors, external reviewers, reporting users, read-only integrations
Custom Roles
Custom roles allow you to define specific permission sets tailored to your organization's needs.
Example: Initiator
| Property | Value |
|---|---|
| Permissions | 1 |
| Type | Custom |
| Purpose | Minimal permissions to initiate transactions |
Use Case: Automated systems that only need to submit transactions, with all approvals handled by other roles.
Example: Operator
| Property | Value |
|---|---|
| Permissions | 23 |
| Type | Custom |
| Purpose | Full operational access to vaults, transactions, and policies |
Capabilities:
- Full vault management
- Transaction initiation and monitoring
- Policy management
- Named list management
Use Case: Operations team leads who need comprehensive access without administrative privileges.
Example: Super Admin
| Property | Value |
|---|---|
| Permissions | 51 |
| Type | Custom |
| Purpose | Complete access to all platform capabilities |
Capabilities:
- All Organization Admin permissions
- All operational permissions
- Full API access
Use Case: Technical leads or owners who need unrestricted access.
Permission Categories
Permissions are grouped into functional categories:
| Category | Description | Examples |
|---|---|---|
| Vaults | Manage wallet infrastructure | Create, view, update, archive vaults |
| Transactions | Execute blockchain operations | Send, view, cancel transactions |
| Policies | Control transaction rules | Create, update, delete policies |
| Named Lists | Manage address collections | Create, update, manage list items |
| Users | Manage team access | Invite, update, remove users |
| Roles | Manage permission sets | Create, update custom roles |
| Audit Logs | Access activity records | View logs, generate reports |
| Settings | Configure organization | Update settings, manage integrations |
| API Keys | Manage programmatic access | Create, revoke API credentials |
Role Assignment
Users
Users can be assigned one or more roles. The effective permissions are the union of all assigned role permissions:
API Credentials
API credentials are assigned roles that determine their capabilities.
Example:
| Property | Value |
|---|---|
| Name | Production API Key |
| Client ID | cw_live_abc123def456 |
| Assigned Role | Initiator (Custom) |
| Capabilities | Transaction initiation only |
The credential inherits all permissions from its assigned role(s), just like user accounts.
Recommendation: Always start with the lowest privilege role that meets the user's needs, and only escalate when necessary.
Role Selection Guide
| Use Case | Recommended Role | Reason |
|---|---|---|
| Platform administration | Organization Admin | User/role management without wallet access |
| Daily operations | Member | Standard operational capabilities |
| Audit and compliance | Viewer | Read-only for security |
| Automated transaction submission | Initiator (Custom) | Minimal permissions for API |
| Operations team lead | Operator (Custom) | Full operational access |
| Technical owner | Super Admin (Custom) | Unrestricted access |
Best Practices
Role Design
| Practice | Description |
|---|---|
| Start with system roles | Use built-in roles before creating custom ones |
| Minimize custom roles | Create only when system roles don't fit |
| Document role purposes | Clear descriptions for each custom role |
| Regular audits | Review role assignments periodically |
Security
| Practice | Description |
|---|---|
| Least privilege | Assign minimum permissions needed |
| Separate duties | Different roles for different functions |
| No shared credentials | Each user/API has own credentials |
| Review high-privilege roles | Extra scrutiny for Super Admin assignments |
API Credentials
| Practice | Description |
|---|---|
| Role-specific API keys | Create dedicated credentials per integration |
| Minimal API permissions | API keys should have fewer permissions than users |
| Rotate credentials | Regular credential rotation schedule |
| IP whitelisting | Restrict API access by IP address |
Related Topics
- OAuth2 Authentication — OAuth2 and API authentication
- Policies — Transaction-level controls
API Reference
For complete API documentation including endpoints for managing roles and permissions:
- List roles —
GET /api/v1/roles - Create role —
POST /api/v1/roles - List permissions —
GET /api/v1/roles/permissions - Get role —
GET /api/v1/roles/{id} - Update role —
PATCH /api/v1/roles/{id} - Delete role —
DELETE /api/v1/roles/{id} - Customize system role —
PUT /api/v1/roles/{id}/customize
Roles & Permissions
Roles define what users and API credentials can do within your Cubewire organization. The role-based access control (RBAC) system enables fine-grained permission management for security and operational efficiency.
What is a Role?
A role is a collection of permissions that determines:
- Access Level — What resources can be viewed or modified
- Operational Scope — Which actions can be performed
- Security Boundaries — What is explicitly denied
Role Types
Cubewire supports two types of roles:
| Type | Description | Editable | Deletable |
|---|---|---|---|
| System | Pre-defined roles with standard permission sets | No | No |
| Custom | Organization-defined roles for specific needs | Yes | Yes |
System Roles
System roles are built-in and cannot be modified. They provide common access patterns for typical organizational structures.
Organization Admin
| Property | Value |
|---|---|
| Permissions | 30 |
| Type | System |
| Purpose | Organizational governance and user management |
Capabilities:
- Manage users and roles
- Configure organization settings
- View audit logs and compliance reports
- Manage integrations and linked organizations
Limitations:
- Cannot perform wallet operations
- Cannot initiate transactions
- Cannot modify vault configurations
Best For: IT administrators, compliance officers, organization managers
Member
| Property | Value |
|---|---|
| Permissions | 13 |
| Type | System |
| Purpose | Standard operational access for day-to-day tasks |
Capabilities:
- View vaults and balances
- Initiate transactions (subject to policies)
- View transaction history
- Access basic reporting
Limitations:
- Cannot manage users or roles
- Cannot modify organization settings
- Cannot change policies
Best For: Operations staff, finance team members, day-to-day operators
Viewer
| Property | Value |
|---|---|
| Permissions | 9 |
| Type | System |
| Purpose | Read-only access to view information without making changes |
Capabilities:
- View vaults and addresses
- View transaction history
- View policies and named lists
- Access read-only reports
Limitations:
- Cannot initiate any transactions
- Cannot modify any resources
- Cannot create or update anything
Best For: Auditors, external reviewers, reporting users, read-only integrations
Custom Roles
Custom roles allow you to define specific permission sets tailored to your organization's needs.
Example: Initiator
| Property | Value |
|---|---|
| Permissions | 1 |
| Type | Custom |
| Purpose | Minimal permissions to initiate transactions |
Use Case: Automated systems that only need to submit transactions, with all approvals handled by other roles.
Example: Operator
| Property | Value |
|---|---|
| Permissions | 23 |
| Type | Custom |
| Purpose | Full operational access to vaults, transactions, and policies |
Capabilities:
- Full vault management
- Transaction initiation and monitoring
- Policy management
- Named list management
Use Case: Operations team leads who need comprehensive access without administrative privileges.
Example: Super Admin
| Property | Value |
|---|---|
| Permissions | 51 |
| Type | Custom |
| Purpose | Complete access to all platform capabilities |
Capabilities:
- All Organization Admin permissions
- All operational permissions
- Full API access
Use Case: Technical leads or owners who need unrestricted access.
Permission Categories
Permissions are grouped into functional categories:
| Category | Description | Examples |
|---|---|---|
| Vaults | Manage wallet infrastructure | Create, view, update, archive vaults |
| Transactions | Execute blockchain operations | Send, view, cancel transactions |
| Policies | Control transaction rules | Create, update, delete policies |
| Named Lists | Manage address collections | Create, update, manage list items |
| Users | Manage team access | Invite, update, remove users |
| Roles | Manage permission sets | Create, update custom roles |
| Audit Logs | Access activity records | View logs, generate reports |
| Settings | Configure organization | Update settings, manage integrations |
| API Keys | Manage programmatic access | Create, revoke API credentials |
Role Assignment
Users
Users can be assigned one or more roles. The effective permissions are the union of all assigned role permissions:
API Credentials
API credentials are assigned roles that determine their capabilities.
Example:
| Property | Value |
|---|---|
| Name | Production API Key |
| Client ID | cw_live_abc123def456 |
| Assigned Role | Initiator (Custom) |
| Capabilities | Transaction initiation only |
The credential inherits all permissions from its assigned role(s), just like user accounts.
Recommendation: Always start with the lowest privilege role that meets the user's needs, and only escalate when necessary.
Role Selection Guide
| Use Case | Recommended Role | Reason |
|---|---|---|
| Platform administration | Organization Admin | User/role management without wallet access |
| Daily operations | Member | Standard operational capabilities |
| Audit and compliance | Viewer | Read-only for security |
| Automated transaction submission | Initiator (Custom) | Minimal permissions for API |
| Operations team lead | Operator (Custom) | Full operational access |
| Technical owner | Super Admin (Custom) | Unrestricted access |
Best Practices
Role Design
| Practice | Description |
|---|---|
| Start with system roles | Use built-in roles before creating custom ones |
| Minimize custom roles | Create only when system roles don't fit |
| Document role purposes | Clear descriptions for each custom role |
| Regular audits | Review role assignments periodically |
Security
| Practice | Description |
|---|---|
| Least privilege | Assign minimum permissions needed |
| Separate duties | Different roles for different functions |
| No shared credentials | Each user/API has own credentials |
| Review high-privilege roles | Extra scrutiny for Super Admin assignments |
API Credentials
| Practice | Description |
|---|---|
| Role-specific API keys | Create dedicated credentials per integration |
| Minimal API permissions | API keys should have fewer permissions than users |
| Rotate credentials | Regular credential rotation schedule |
| IP whitelisting | Restrict API access by IP address |
Related Topics
- OAuth2 Authentication — OAuth2 and API authentication
- Policies — Transaction-level controls
API Reference
For complete API documentation including endpoints for managing roles and permissions:
- List roles —
GET /api/v1/roles - Create role —
POST /api/v1/roles - List permissions —
GET /api/v1/roles/permissions - Get role —
GET /api/v1/roles/{id} - Update role —
PATCH /api/v1/roles/{id} - Delete role —
DELETE /api/v1/roles/{id} - Customize system role —
PUT /api/v1/roles/{id}/customize