Roles & Permissions
Where membership decides who belongs to your organization, roles decide what they can do. Kanshin uses role-based access control: you grant people roles, and each role carries a set of permissions. You manage roles on the Roles page under Security.
Permissions
A permission is a single, specific ability — for example, managing applications or updating the organization. Permissions are named in a clear area:resource:action form so their meaning is legible. You do not assign permissions to people directly; you group them into roles and assign roles.
Built-in roles
Every organization starts with a set of built-in roles covering the common needs:
| Role | For |
|---|---|
| Tenant owner | Full control of the organization; the creator starts as owner |
| Tenant admin | Day-to-day administration of the organization |
| Tenant member | A regular member with read access |
| Tenant viewer | Read-only visibility |
| Platform admin | Elevated cross-cutting administration |
Built-in roles cannot be deleted, so the essential roles are always present.
Custom roles
Beyond the built-in roles you can create custom roles tailored to your organization — a “Application Manager” role that can manage applications but nothing else, for example. Create a role, give it a name, and choose the permissions it grants. You can edit a custom role’s permissions later as needs change.
Assigning roles
You grant a user a role by assigning it. A user can hold several roles, and their abilities are the combined permissions of all the roles they hold.
The read-only Administrators page under Settings gives you a quick view of who holds administrative roles in your organization, so you can see at a glance who can manage what.
Scoping an assignment to a realm
A role assignment can apply to the whole organization or to a single realm. This lets you give someone administrative access in one environment without giving it everywhere — for example, admin rights in your staging realm but not in production. An assignment with no realm applies across all of them.
Related pages
- Members & Invitations — who belongs to the organization
- Application Access — granting app access by role
- Organizations & Realms — realm-scoped assignments