Skip to main content

Roles & Permissions

Access control has two axes: the user's role (Role) and their organization type (OrganizationType). Roles are expressed as CASL (action, subject) rules in @cbdc-issuer/shared (permissions/index.ts) and are shared verbatim by the API guards (PoliciesGuard / @CheckPolicies) and the dashboard (ability.can(...) + route guards).

Roles

RoleSummary
administratormanage all — every action on every subject
memberRead most subjects; create Proposals and Votes; update own User
auditorRead everything (incl. Invitations and Export); no writes

CASL ability matrix

Actions are create / read / update / delete / manage (manage implies all). Administrator has manage on all; the table below details Member and Auditor.

SubjectAdministratorMemberAuditor
Usermanageread, updateread
Invitationmanageread
Organizationmanagereadread
Tokenmanagereadread
Multisigmanagereadread
WhitelistAddressmanagereadread
AddressBookmanagereadread
Proposalmanageread, createread
Votemanageread, createread
Operationmanagereadread
Bridgingmanage
Dashboardmanagereadread
Exportmanageread
InstantPaymentmanageread, createread
InstantPaymentOversightmanageread

Notes: only Administrators carry manage · Bridging, so disbursement/redemption requests are admin-driven. read · Organization is the gate for the Control Panel — which is why Members can't open it. InstantPaymentOversight is deliberately excluded from Member — only Admin (via manage all) and Auditor can open the Issuer's cross-bank Instant Payments oversight view. The API is always the enforcement point; the dashboard only mirrors these rules to hide UI.

Organization-type gating

Some surfaces depend on the organization type, independent of role:

Route / capabilityRequired org type
/control-panel/organizations (manage commercial orgs)CENTRAL
GET /organizations (list)CENTRAL (else ORGANIZATION_LIST_RESTRICTED_TO_CENTRAL_BANK)
Convert / disbursement flowsCOMMERCIAL

Dashboard route guards

_dashboard.tsx enforces auth and then two maps before a route renders:

Route prefixROUTE_PERMISSIONS (CASL)ROUTE_ORG_TYPES
/control-panelread · Organization
/control-panel/organizationsread · OrganizationCENTRAL
/disbursement-requestsCOMMERCIAL

Unauthenticated users are redirected to /login?redirect=…; failing a permission/org-type check redirects to /dashboard.

ItemRouteVisible to
Dashboard/dashboardall
Accounts/multisigsall
My Tasks/my-tasksall (badge = pending vote count)
Address Book/address-bookall
Instant Payments/instant-paymentsCommercial orgs: all. Central orgs: only if can('read', 'InstantPaymentOversight') (Admin + Auditor)
Control Panel/control-panelonly if can('read', 'Organization') (Admin + Auditor)
Settings/settingsall