Use this page for Console administration workflows such as assigning system roles, creating custom roles, managing admin users, and reviewing high-risk permissions.
Roles and permissions
The Console uses role-based access control (RBAC) to manage admin privileges. You can assign predefined system roles or create custom roles with a specific permission set.System roles
| Role | Recommended use case |
|---|---|
| Admin | Full access to Console features, including channels, communities, posts, moderation, ads, users, roles, and settings. |
| Community Manager | Manages channels, posts, comments, livestreams, and users in assigned communities. Cannot access user management, admin, or settings. |
| Moderator | Moderates posts, comments, and users in communities. Cannot create channels, manage categories, post as brand, or access admin or settings. |
| Content Creator | Creates posts, comments, stories, and communities. Cannot post as brand, manage users, create ads, or access admin tools or settings. |
| Brand Partner | Creates posts, comments, stories, livestreams, and communities. Can post as brand. Cannot access user management, ads, admin, roles, or settings. |
| Viewer | Read-only access to most areas, including channels, posts, comments, and communities. Cannot view admin users or settings. |
Permission definitions
| Permission | Allows | Recommended restriction |
|---|---|---|
| Manage Admins | Create admin users, edit profiles, assign roles, and manage community assignments. | New admins should start from a deny-by-default stance until permissions are intentionally assigned. |
| Access Secure Mode | Generate and use elevated Admin Tokens for secure server-to-server API authentication. | Restrict this permission to security or platform engineering teams. Keep it separate from daily operational roles when possible. |
| View-Only Access | View Console pages and data without performing actions. | Use for stakeholders who need visibility into analytics or moderation trends without modification rights. |
Grant first-time access to a portal admin
Portal access and Console permission are separate. A portal Super Admin can open every application’s Console automatically, but every other portal admin starts with no Console role assigned. Until a role is assigned, clicking Go to Console shows a no-permission screen. A portal Super Admin or an existing Console admin can grant access:Assign a role
Select an appropriate role for the user, then save. Choose the narrowest role that fits their duties. See System roles.
Console roles are deny-by-default: a new portal admin has no permissions until a role is assigned here. Grant access intentionally based on the person’s responsibilities.
Admin user management
Create an admin
Onboard a new admin, assign a role, and scope access to the right communities.Assign communities
Choose the communities the admin can manage. Leave the default only when the admin should have all-community access and their role permits it.
All permissions are disabled by default for new admins. Activate permissions intentionally based on the assigned role and community scope.
Edit an admin
Update an existing admin’s role, permissions, or community assignments as responsibilities change.Generate an admin token
Create a secure token for server-to-server API authentication.Governance and best practices
Principle of least privilege
Principle of least privilege
Grant the minimum permissions required for each admin to perform their duties. Avoid using the Admin role for daily operational work when a narrower role is enough.
Separation of duties
Separation of duties
Separate high-risk permissions from operational permissions. For example, an admin with
Access Secure Mode should not also have broad content moderation duties without a secondary approval process.Quarterly access reviews
Quarterly access reviews
Regularly export the admin list and review each account’s permissions and community assignments. Confirm that access still matches the admin’s current role and employment status.
Joiner, mover, leaver process
Joiner, mover, leaver process
Align admin account management with HR processes. Create accounts during onboarding, adjust access when responsibilities change, and revoke access promptly when someone leaves.
Troubleshooting
| Issue | Likely cause | Resolution |
|---|---|---|
| ”Go to Console” shows no permission | The portal admin has no Console role assigned yet. Portal access is separate from Console RBAC. | A portal Super Admin or existing Console admin assigns them a role via Admin Users → Manage admin users → Edit profile & access. See Grant first-time access to a portal admin. |
| Cannot edit another admin | Your role lacks the Manage Admins permission. | Escalate to an admin with the required permission. |
| Admin can see all communities | The admin’s role has global access, or no communities were specified during assignment. | Edit the admin profile and assign specific communities to restrict access. |
| Unauthorized API token creation | The Access Secure Mode permission was over-granted. | Revoke the permission from unauthorized users, rotate exposed tokens, and audit API activity logs. |
Related topics
Security Settings
Configure global authentication controls and session policies.
Admin Tokens
Learn how to use Admin Tokens for secure API access.