Role-Based Access Control
Elydora enforces fine-grained access control with five predefined roles. Higher privilege levels inherit all permissions from lower levels.
Roles
Full administrative access. Can manage users, roles, and all platform features. Assigned automatically to the account creator.
- All permissions
- Manage organization settings
- Assign and modify user roles
- Delete organization data
Manages agent lifecycle and security controls. Can freeze and revoke agents.
- Freeze agents
- Unfreeze agents
- Revoke agent keys
- View agent details
- View operations
- Query audit log
Full read access to audit logs and export capabilities. Designed for compliance and legal teams.
- Query audit log
- Create and download exports
- View operations
- View agent details
- View epochs
Can register agents, update agent configuration, and submit operations. The primary role for agent integration workflows.
- Register agents
- Update agent integration type
- Submit operations
Read-only access to operations, agents, and epochs. Cannot modify any data or export records.
- View operations
- Verify operations
- View agent details
- View epochs
Permissions Matrix
The following table shows the minimum role required for each API endpoint. Users with a higher-level role (higher level number) can access all endpoints available to lower-level roles.
| Endpoint | Minimum Role |
|---|---|
| POST /api/auth/sign-up/email | Public |
| POST /api/auth/sign-in/email | Public |
| GET /api/auth/session | Any authenticated |
| POST /api/auth/session/refresh | Any authenticated |
| POST /v1/auth/token | Any authenticated |
| POST /v1/agents/register | integration_engineer |
| GET /v1/agents | readonly_investigator |
| GET /v1/agents/:agent_id | readonly_investigator |
| PATCH /v1/agents/:agent_id | integration_engineer |
| DELETE /v1/agents/:agent_id | security_admin |
| POST /v1/agents/:agent_id/freeze | security_admin |
| POST /v1/agents/:agent_id/unfreeze | security_admin |
| POST /v1/agents/:agent_id/revoke | security_admin |
| POST /v1/operations | integration_engineer |
| GET /v1/operations/:operation_id | readonly_investigator |
| POST /v1/operations/:operation_id/verify | readonly_investigator |
| POST /v1/audit/query | compliance_auditor |
| GET /v1/epochs | readonly_investigator |
| GET /v1/epochs/:epoch_id | readonly_investigator |
| POST /v1/exports | compliance_auditor |
| GET /v1/exports | compliance_auditor |
| GET /v1/exports/:export_id | compliance_auditor |
| GET /v1/exports/:export_id/download | compliance_auditor |
| GET /.well-known/elydora/jwks.json | Public |
| GET /v1/health | Public |
Role Inheritance
Roles follow a hierarchical model. An org_owner (Level 50) can perform all actions that a security_admin (Level 40) can, and so on down the chain. This means:
- org_owner (50) can do everything
- security_admin (40) can do everything except manage org settings and roles
- compliance_auditor (30) can query audits, create exports, and read operations
- integration_engineer (20) can register agents, update agent configuration, and submit operations
- readonly_investigator (10) can read operations, agents, and epochs