Role-Based Access Control
Elydora enforces fine-grained access control with five predefined roles. Higher-level roles inherit all permissions from lower levels.
Roles
Full administrative access. Can manage users, roles, and all platform features. Assigned automatically to the account creator.
- All permissions
- Manage organization settings
- Assign and modify user roles
- Delete organization data
Manages agent lifecycle and security controls. Can freeze and revoke agents.
- Freeze agents
- Revoke agent keys
- View agent details
- View operations
- Query audit log
Full read access to audit logs and export capabilities. Designed for compliance and legal teams.
- Query audit log
- Create and download exports
- View operations
- View agent details
- View epochs
Read-only access to operations, agents, and epochs. Cannot modify any data or export records.
- View operations
- Verify operations
- View agent details
- View epochs
Can register agents and submit operations. The primary role for agent integration workflows.
- Register agents
- Submit operations
Permissions Matrix
The following table shows the minimum role required for each API endpoint. Users with a higher-level role (lower level number) can access all endpoints available to lower-level roles.
| Endpoint | Minimum Role |
|---|---|
| POST /v1/auth/register | Public |
| POST /v1/auth/login | Public |
| GET /v1/auth/me | Any authenticated |
| POST /v1/auth/refresh | Any authenticated |
| POST /v1/agents/register | integration_engineer |
| GET /v1/agents/:agent_id | readonly_investigator |
| POST /v1/agents/:agent_id/freeze | security_admin |
| POST /v1/agents/:agent_id/revoke | security_admin |
| POST /v1/operations | integration_engineer |
| GET /v1/operations/:operation_id | readonly_investigator |
| POST /v1/operations/:operation_id/verify | readonly_investigator |
| POST /v1/audit/query | compliance_auditor |
| GET /v1/epochs | readonly_investigator |
| GET /v1/epochs/:epoch_id | readonly_investigator |
| POST /v1/exports | compliance_auditor |
| GET /v1/exports | compliance_auditor |
| GET /v1/exports/:export_id | compliance_auditor |
| GET /v1/exports/:export_id/download | compliance_auditor |
| GET /.well-known/elydora/jwks.json | Public |
Role Inheritance
Roles follow a hierarchical model. An org_owner (Level 1) can perform all actions that a security_admin (Level 2) can, and so on down the chain. This means:
- org_owner can do everything
- security_admin can do everything except manage org settings and roles
- compliance_auditor can query audits, create exports, and read operations
- readonly_investigator can read operations, agents, and epochs
- integration_engineer can register agents and submit operations