This guide covers the configuration of admin roles, permissions, and community-level access to enforce the principle of least privilege. Learn how to create custom roles, manage admin users, and audit console activities effectively.
System Roles
Use a set of predefined roles for common administrative tasks.
Assign Access
Assign admins to roles and specific communities.
Enforce Least Privilege
Grant only the permissions necessary for an admin’s duties.
Manage Secure Mode
Restrict and monitor access to high-risk capabilities.
Roles and Permissions
Amity Console uses a Role-Based Access Control (RBAC) model to provide granular control over admin privileges. You can create custom roles with specific permissions and assign them to admin users.System Roles
The platform includes a set of predefined system roles that can be assigned to admins. While these roles have a default set of permissions, you can also create your own custom roles.| Role | Recommended Use Case |
|---|---|
| Admin | Has full access to all console features, including channels, communities, posts, moderation, ads, users, roles, and settings. |
| Community Manager | Can manage channels, posts, comments, livestreams, and users in assigned communities. Can’t access user management, admin, or settings. |
| Moderator | Can moderate posts, comments, and users in communities. Can’t create channels, manage categories, post as brand, or access admin or settings. |
| Content Creator | Can create posts, comments, stories, and communities. Can’t post as brand, manage users, create ads, or access admin tools or settings. |
| Brand Partner | Can create posts, comments, stories, livestreams, and communities. Can post as brand. No access to user management, ads, admin, roles, or settings. |
| Viewer | Read-only access to most areas, including channels, posts, comments, and communities. Can’t view admin users or settings. |
The Admin role grants extensive privileges. Assign it cautiously. For most team members, use more specific roles like Community Manager or Moderator.
Permission Definitions
Manage Admins
Manage Admins
Allows: Creating new admin users, editing their profiles, assigning roles, and managing community assignments.Restriction: All new admins are created with a “deny-by-default” stance, with no permissions enabled initially.
Access Secure Mode
Access Secure Mode
Allows: Generating and using elevated Admin Tokens for secure server-to-server API authentication.Restriction: Confine this permission to security and platform engineering teams. Separate it from daily operational roles to follow the principle of separation of duties.
View-Only Access
View-Only Access
Allows: Viewing console pages and data without the ability to perform actions.Use Case: Ideal for stakeholders who need visibility into analytics or moderation trends without having modification rights.
Admin User Management
- Create Admin
- Edit Admin
- Generate Admin Token
Create New Admin
Onboard a new admin, assign a predefined role, and scope their access to specific communities.1
Navigate to Admins
Go to the Admin Users section and click “Manage admin users”.
2
Create New Admin
Click the “Create new admin” button.
3
Enter Identity
Provide the user’s identity and password, then click “Continue”.
4
Assign Role
Select an appropriate role from the list (e.g., “Community manager”).
5
Assign to Communities
Specify which communities the admin can manage. Leave default for all communities access (if their role permits).
6
Review and Create
Review creation summary, then click “Create Admin”.
7
Onboard
Share access guidelines and schedule a 30-day permission review to ensure the assigned rights are appropriate.
All permissions are disabled by default for new admins. They must be activated intentionally based on the assigned role, following the principle of least privilege.
Governance & Best Practices
Principle of Least Privilege
Principle of Least Privilege
Always grant the minimum set of permissions required for an admin to perform their duties. Avoid using the Super Admin role for daily tasks.
Separation of Duties
Separation of Duties
Separate high-risk permissions from operational ones. For example, an admin with
Access Secure Mode should not also have broad content moderation duties without a secondary approval process.Quarterly Access Reviews
Quarterly Access Reviews
Regularly export the admin list and review each account’s permissions and community assignments. Verify that the access level is still appropriate for their role and employment status.
Joiner/Mover/Leaver (JML) Process
Joiner/Mover/Leaver (JML) Process
Integrate admin account management with your HR processes. Ensure accounts are created upon hiring, modified upon role change, and revoked promptly upon departure (e.g., within 24 hours).
Troubleshooting
| Issue | Likely Cause | Resolution |
|---|---|---|
| Cannot edit another admin | Your role lacks the “Manage Admins” permission. | Escalate to a Super Admin or an admin with the required permission to make the change. |
| Admin can see all communities | The admin’s role has global access, or no communities were specified during assignment. | Edit the admin’s profile and assign them to specific communities to restrict their view. |
| Unauthorized API token creation | The Access Secure Mode permission has been over-granted. | Revoke the permission from unauthorized users, rotate any exposed tokens, and audit API activity logs. |