> ## Documentation Index > Fetch the complete documentation index at: https://learn.social.plus/llms.txt > Use this file to discover all available pages before exploring further. # Admin Access Control > Manage admin roles, permissions, and community assignments to enforce least privilege and secure your console. Use Admin Access Control in the social.plus Console to manage admin roles, permissions, and community-level access. The goal is to give each admin only the permissions and community scope they need. Use this page for Console administration workflows such as assigning system roles, creating custom roles, managing admin users, and reviewing high-risk permissions. ## Roles and permissions The Console uses role-based access control (RBAC) to manage admin privileges. You can assign predefined system roles or create custom roles with a specific permission set. ### System roles | Role | Recommended use case | | --------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------- | | **Admin** | Full access to Console features, including channels, communities, posts, moderation, ads, users, roles, and settings. | | **Community Manager** | Manages channels, posts, comments, livestreams, and users in assigned communities. Cannot access user management, admin, or settings. | | **Moderator** | Moderates posts, comments, and users in communities. Cannot create channels, manage categories, post as brand, or access admin or settings. | | **Content Creator** | Creates posts, comments, stories, and communities. Cannot post as brand, manage users, create ads, or access admin tools or settings. | | **Brand Partner** | Creates posts, comments, stories, livestreams, and communities. Can post as brand. Cannot access user management, ads, admin, roles, or settings. | | **Viewer** | Read-only access to most areas, including channels, posts, comments, and communities. Cannot view admin users or settings. | The **Admin** role grants broad privileges. Assign it cautiously. For most team members, use a more specific role such as **Community Manager** or **Moderator**. ### Permission definitions | Permission | Allows | Recommended restriction | | ------------------ | -------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------- | | Manage Admins | Create admin users, edit profiles, assign roles, and manage community assignments. | New admins should start from a deny-by-default stance until permissions are intentionally assigned. | | Access Secure Mode | Generate and use elevated Admin Tokens for secure server-to-server API authentication. | Restrict this permission to security or platform engineering teams. Keep it separate from daily operational roles when possible. | | View-Only Access | View Console pages and data without performing actions. | Use for stakeholders who need visibility into analytics or moderation trends without modification rights. | ## Grant first-time access to a portal admin Portal access and Console permission are separate. A portal **Super Admin** can open every application's Console automatically, but every other portal admin starts with **no Console role assigned**. Until a role is assigned, clicking **Go to Console** shows a no-permission screen. A portal **Super Admin** or an existing Console admin can grant access: In the Console, go to the **Admin Users** section and click **Manage admin users**. Find the portal admin in the list and click **Edit profile & access**. Select an appropriate role for the user, then save. Choose the narrowest role that fits their duties. See [System roles](#system-roles). The admin can now open the Console for that application from the Portal. Console roles are deny-by-default: a new portal admin has no permissions until a role is assigned here. Grant access intentionally based on the person's responsibilities. ## Admin user management ### Create an admin Onboard a new admin, assign a role, and scope access to the right communities. Go to the **Admin Users** section and click **Manage admin users**. Click **Create new admin**. Provide the user's identity and password, then click **Continue**. Select an appropriate role, such as **Community Manager**. Choose the communities the admin can manage. Leave the default only when the admin should have all-community access and their role permits it. Review the summary, then click **Create Admin**. Share access guidelines and schedule a 30-day permission review. All permissions are disabled by default for new admins. Activate permissions intentionally based on the assigned role and community scope. ### Edit an admin Update an existing admin's role, permissions, or community assignments as responsibilities change. Go to the **Admin Users** section and click **Manage admin users**. Click **Edit** next to the target admin. Update the admin display name or assigned role. Add or remove communities from the admin's scope. Click **Save Changes** and document the reason in your internal change log. ### Generate an admin token Create a secure token for server-to-server API authentication. Go to the **Admin Users** section and click **Manage admin users**. Click the settings icon next to the target admin. Click **Generate**, then copy the token for use in API calls. Treat admin tokens as high-risk credentials. Generate them only for admins who require **Access Secure Mode**. ## Governance and best practices Grant the minimum permissions required for each admin to perform their duties. Avoid using the **Admin** role for daily operational work when a narrower role is enough. Separate high-risk permissions from operational permissions. For example, an admin with `Access Secure Mode` should not also have broad content moderation duties without a secondary approval process. Regularly export the admin list and review each account's permissions and community assignments. Confirm that access still matches the admin's current role and employment status. Align admin account management with HR processes. Create accounts during onboarding, adjust access when responsibilities change, and revoke access promptly when someone leaves. ## Troubleshooting | Issue | Likely cause | Resolution | | ----------------------------------- | ----------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | "Go to Console" shows no permission | The portal admin has no Console role assigned yet. Portal access is separate from Console RBAC. | A portal Super Admin or existing Console admin assigns them a role via **Admin Users → Manage admin users → Edit profile & access**. See [Grant first-time access to a portal admin](#grant-first-time-access-to-a-portal-admin). | | Cannot edit another admin | Your role lacks the `Manage Admins` permission. | Escalate to an admin with the required permission. | | Admin can see all communities | The admin's role has global access, or no communities were specified during assignment. | Edit the admin profile and assign specific communities to restrict access. | | Unauthorized API token creation | The `Access Secure Mode` permission was over-granted. | Revoke the permission from unauthorized users, rotate exposed tokens, and audit API activity logs. | ## Related topics Configure global authentication controls and session policies. Learn how to use Admin Tokens for secure API access.