Roles & Permissions
Access control has two axes: the user's role (Role) and their organization type (OrganizationType). Roles are expressed as CASL (action, subject) rules in @cbdc-issuer/shared (permissions/index.ts) and are shared verbatim by the API guards (PoliciesGuard / @CheckPolicies) and the dashboard (ability.can(...) + route guards).
Roles
| Role | Summary |
|---|---|
administrator | manage all — every action on every subject |
member | Read most subjects; create Proposals and Votes; update own User |
auditor | Read everything (incl. Invitations and Export); no writes |
CASL ability matrix
Actions are create / read / update / delete / manage (manage implies all). Administrator has manage on all; the table below details Member and Auditor.
| Subject | Administrator | Member | Auditor |
|---|---|---|---|
User | manage | read, update | read |
Invitation | manage | — | read |
Organization | manage | read | read |
Token | manage | read | read |
Multisig | manage | read | read |
WhitelistAddress | manage | read | read |
AddressBook | manage | read | read |
Proposal | manage | read, create | read |
Vote | manage | read, create | read |
Operation | manage | read | read |
Bridging | manage | — | — |
Dashboard | manage | read | read |
Export | manage | — | read |
InstantPayment | manage | read, create | read |
InstantPaymentOversight | manage | — | read |
Notes: only Administrators carry
manage · Bridging, so disbursement/redemption requests are admin-driven.read · Organizationis the gate for the Control Panel — which is why Members can't open it.InstantPaymentOversightis deliberately excluded from Member — only Admin (viamanage all) and Auditor can open the Issuer's cross-bank Instant Payments oversight view. The API is always the enforcement point; the dashboard only mirrors these rules to hide UI.
Organization-type gating
Some surfaces depend on the organization type, independent of role:
| Route / capability | Required org type |
|---|---|
/control-panel/organizations (manage commercial orgs) | CENTRAL |
GET /organizations (list) | CENTRAL (else ORGANIZATION_LIST_RESTRICTED_TO_CENTRAL_BANK) |
| Convert / disbursement flows | COMMERCIAL |
Dashboard route guards
_dashboard.tsx enforces auth and then two maps before a route renders:
| Route prefix | ROUTE_PERMISSIONS (CASL) | ROUTE_ORG_TYPES |
|---|---|---|
/control-panel | read · Organization | — |
/control-panel/organizations | read · Organization | CENTRAL |
/disbursement-requests | — | COMMERCIAL |
Unauthenticated users are redirected to /login?redirect=…; failing a permission/org-type check redirects to /dashboard.
Sidebar visibility
| Item | Route | Visible to |
|---|---|---|
| Dashboard | /dashboard | all |
| Accounts | /multisigs | all |
| My Tasks | /my-tasks | all (badge = pending vote count) |
| Address Book | /address-book | all |
| Instant Payments | /instant-payments | Commercial orgs: all. Central orgs: only if can('read', 'InstantPaymentOversight') (Admin + Auditor) |
| Control Panel | /control-panel | only if can('read', 'Organization') (Admin + Auditor) |
| Settings | /settings | all |