RecipesRoles rules
Detailed Role Permissions
Super Admin
Identifier: super-admin
Full unrestricted access to all resources and actions in the system.
| Permission | Description | Rules |
|---|---|---|
| p1 | View Everything & Edit everything | resource: *, action: * |
Capabilities:
- Create, edit, and delete any resource
- Approve any proposal
- Manage all users, wallets, policies, and settings
- Access all workspace and wallet operations
Workspace Owner
Identifier: workspace-owner
Owner-level workspace access with approval rights for workspace-level changes.
| Permission | Description | Rules |
|---|---|---|
| p1 | View workspace resources | /users list, get/signers list, get/wallets list, get/policies list, get/roles list, get/rules list, get/groups list, get/recipients list, get/recipient-groups list, get |
| p2 | Approve workspace proposals | /proposals approve (with filter: proposal.resource IN ['/users', '/signers', '/roles', '/policies', '/wallets', '/groups', '/recipients', '/recipient-groups', '/assets']) |
Capabilities:
- View all workspace resources (users, signers, wallets, policies, roles, rules, groups, recipients)
- Approve proposals that affect workspace configuration
- Cannot create or edit resources directly (must go through proposal flow)
Workspace Maintainer
Identifier: workspace-maintainer
Maintenance of workspace resources with broad create/edit permissions.
| Permission | Description |
|---|---|
| p1 | View workspace resources |
| p2 | Propose workspace resource changes |
Complete Rules for Workspace Maintainer:
User Management:
| Resource | Action | Description |
|---|---|---|
/users | list | List all users |
/users | get | View user details |
/users | invite | Invite users via email |
/users | create | Create new users |
/users | edit | Edit user details |
/users | delete | Delete users |
Rules Management:
| Resource | Action | Description |
|---|---|---|
/rules | list | List all rules |
/rules | get | View rule details |
/rules | create | Create new rules |
Roles Management:
| Resource | Action | Description |
|---|---|---|
/roles | list | List all roles |
/roles | get | View role details |
/roles | create | Create new roles |
/roles | addRules | Add rules to roles |
/roles | removeRules | Remove rules from roles |
/roles | addUsers | Add users to roles |
/roles | removeUsers | Remove users from roles |
/roles | delete | Delete roles |
Groups Management:
| Resource | Action | Description |
|---|---|---|
/groups | list | List all groups |
/groups | get | View group details |
/groups | create | Create new groups |
/groups | edit | Edit groups |
/groups | delete | Delete groups |
/groups | addUsers | Add users to groups |
/groups | removeUsers | Remove users from groups |
Recipients Management:
| Resource | Action | Description |
|---|---|---|
/recipients | list | List all recipients |
/recipients | get | View recipient details |
/recipients | create | Create new recipients |
/recipients | edit | Edit recipients |
/recipients | delete | Delete recipients |
Recipient Groups Management:
| Resource | Action | Description |
|---|---|---|
/recipient-groups | list | List all recipient groups |
/recipient-groups | get | View recipient group details |
/recipient-groups | create | Create new recipient groups |
/recipient-groups | edit | Edit recipient groups |
/recipient-groups | delete | Delete recipient groups |
/recipient-groups | addRecipients | Add recipients to groups |
/recipient-groups | removeRecipients | Remove recipients from groups |
Assets Management:
| Resource | Action | Description |
|---|---|---|
/assets | list | List all assets |
/assets | get | View asset details |
/assets | edit | Edit asset settings |
Signers Management:
| Resource | Action | Description |
|---|---|---|
/signers | list | List all signers |
/signers | get | View signer details |
/signers | create | Create new signers |
/signers | edit | Edit signers |
/signers | delete | Delete signers |
Wallets Management:
| Resource | Action | Description |
|---|---|---|
/wallets | list | List all wallets |
/wallets | get | View wallet details |
/wallets | create | Create new wallets |
/wallets | edit | Edit wallet settings |
/wallets | delete | Delete wallets |
Policies Management:
| Resource | Action | Description |
|---|---|---|
/policies | list | List all policies |
/policies | get | View policy details |
/policies | create | Create new policies |
/policies | edit | Edit policies |
/policies | delete | Delete policies |
Workspace Viewer
Identifier: workspace-viewer
Read-only access to workspace resources.
| Permission | Description |
|---|---|
| p1 | View all workspace resources |
Rules:
| Resource | Action | Description |
|---|---|---|
/users | list, get | View users |
/signers | list, get | View signers |
/wallets | list, get | View wallets |
/policies | list, get | View policies |
/roles | list, get | View roles |
/rules | list, get | View rules |
/groups | list, get | View groups |
/recipients | list, get | View recipients |
/recipient-groups | list, get | View recipient groups |
/assets | list, get | View assets |
Wallet Maintainer
Identifier: wallet-maintainer
Full wallet management capabilities for assigned wallets.
| Permission | Description |
|---|---|
| p1 | View wallet resources |
| p2 | Create and manage spend requests |
| p3 | Review and approve proposals |
| p4 | Manage wallet settings |
Rules:
| Resource | Action | Description |
|---|---|---|
/wallets/:wid | get | View wallet details |
/wallets/:wid/balances | get | View wallet balances |
/wallets/:wid/addresses | get, list | View wallet addresses |
/wallets/:wid/transactions | get, list | View wallet transactions |
/wallets/:wid/spend-requests | add | Create spend requests |
/wallets/:wid/spend-requests | list, get | View spend requests |
/wallets/:wid | edit | Edit wallet settings |
/wallets/:wid/policies | create, edit, delete | Manage wallet policies |
/proposals | review | Review proposals for wallet |
/proposals | approve | Approve proposals for wallet |
Note:
:widis dynamically replaced with the specific wallet IDs the user has been granted access to.
Standard Wallet User
Identifier: standard-wallet-user
Standard user operations on assigned wallets.
| Permission | Description |
|---|---|
| p1 | View wallet resources |
| p2 | Create spend requests |
| p3 | Review proposals |
Rules:
| Resource | Action | Description |
|---|---|---|
/wallets/:wid | get | View wallet details |
/wallets/:wid/balances | get | View wallet balances |
/wallets/:wid/addresses | get, list | View wallet addresses |
/wallets/:wid/transactions | get, list | View wallet transactions |
/wallets/:wid/spend-requests | add | Create spend requests |
/wallets/:wid/spend-requests | list, get | View spend requests |
/proposals | review | Review proposals for wallet |
Capabilities:
- View wallet balances, addresses, and transactions
- Create spend requests (transactions)
- Review (but not approve) proposals
Wallet Viewer
Identifier: wallet-viewer
Read-only access to assigned wallets.
| Permission | Description |
|---|---|
| p1 | View wallet resources |
Rules:
| Resource | Action | Description |
|---|---|---|
/wallets/:wid | get | View wallet details |
/wallets/:wid/balances | get | View wallet balances |
/wallets/:wid/addresses | get, list | View wallet addresses |
/wallets/:wid/transactions | get, list | View wallet transactions |
/wallets/:wid/spend-requests | list, get | View spend requests |
Role Relationships
Roles can inherit permissions from other roles through relationships. Higher-level roles automatically include all permissions from roles below them in the hierarchy.
Relationship Types
| Relationship | Description |
|---|---|
includes | This role includes all permissions of the related role |
extends | This role extends the related role (same as includes) |
Predefined Relationships
const roleRelationships = {
'super-admin': {
includes: ['workspace-owner', 'workspace-maintainer', 'wallet-maintainer'],
},
'wallet-maintainer': {
includes: ['standard-wallet-user'],
},
'standard-wallet-user': {
includes: ['wallet-viewer'],
},
'workspace-maintainer': {
includes: ['workspace-viewer'],
},
}