Kanshin Docs / Roles & Permissions

Roles & Permissions

Where membership decides who belongs to your organization, roles decide what they can do. Kanshin uses role-based access control: you grant people roles, and each role carries a set of permissions. You manage roles on the Roles page under Security.

Permissions

A permission is a single, specific ability — for example, managing applications or updating the organization. Permissions are named in a clear area:resource:action form so their meaning is legible. You do not assign permissions to people directly; you group them into roles and assign roles.

Built-in roles

Every organization starts with a set of built-in roles covering the common needs:

RoleFor
Tenant ownerFull control of the organization; the creator starts as owner
Tenant adminDay-to-day administration of the organization
Tenant memberA regular member with read access
Tenant viewerRead-only visibility
Platform adminElevated cross-cutting administration

Built-in roles cannot be deleted, so the essential roles are always present.

Custom roles

Beyond the built-in roles you can create custom roles tailored to your organization — a “Application Manager” role that can manage applications but nothing else, for example. Create a role, give it a name, and choose the permissions it grants. You can edit a custom role’s permissions later as needs change.

Assigning roles

You grant a user a role by assigning it. A user can hold several roles, and their abilities are the combined permissions of all the roles they hold.

The read-only Administrators page under Settings gives you a quick view of who holds administrative roles in your organization, so you can see at a glance who can manage what.

Scoping an assignment to a realm

A role assignment can apply to the whole organization or to a single realm. This lets you give someone administrative access in one environment without giving it everywhere — for example, admin rights in your staging realm but not in production. An assignment with no realm applies across all of them.