Skip to Content
DocumentationReferencesRoles

Roles

Roles in Qrambo define the permissions and access levels for users within an organization. They are part of the organization’s policy and help maintain proper access control.

Access Control

Permissions are granularly defined across different resources:

  • Organization management
  • Queue operations
  • Task management
  • User management
  • Token operations
  • Statistics access

Role Hierarchy

Qrambo implements a hierarchical role system where higher-level roles inherit permissions from lower-level roles. The main roles are:

Core Roles

  1. OWNER

    • Highest level of access
    • Can perform all operations including organization deletion
    • Can transfer organization ownership
    • Can update organization name and profile picture
    • Inherits all ADMIN permissions

  2. ADMIN

    • Full control over the system except organization deletion
    • Can manage all users including OPS_MANAGERS
    • Can manage robot configurations
    • Inherits all OPS_MANAGER permissions

  3. OPS_MANAGER

    • Can manage reviewers and their configurations
    • Access to queue statistics and management
    • Can view and manage reviewer statistics
    • Cannot modify certain user attributes (tokens, names, profile pictures)
    • Inherits REVIEWER_LEVEL_3 permissions

  4. REVIEWER_LEVEL_3

    • Advanced reviewer with queue listing capabilities
    • Inherits REVIEWER_LEVEL_2 permissions

  5. REVIEWER_LEVEL_2

    • Access to global keys management
    • Inherits REVIEWER_LEVEL_1 permissions

  6. REVIEWER_LEVEL_1

    • Can create and manage tasks
    • Can update task priorities and assignments
    • Can manage reviewer lists
    • Inherits REVIEWER_LEVEL_0 permissions

  7. REVIEWER_LEVEL_0

    • Basic reviewer role
    • Can grab and skip tasks

  8. BACKEND_ROBOT or Virtual User or AI AGENT

    • Special role for automated operations
    • Can manage user tokens
    • Has advanced system access

  9. NOONE -Default restrictive role with no Permissions

We are using Casbin for role-based access control, which is a powerful and flexible library for access control. We can customize our policies to fit your needs.

Best Practices

  1. Follow principle of least privilege
  2. Keep robot accounts separate with BACKEND_ROBOT role
  3. Regularly audit role assignments
  4. Use OPS_MANAGER for day-to-day operations management
  5. Reserve ADMIN and OWNER roles for critical operations
Last updated on
NotificationBatch Processing