メインコンテンツまでスキップ

Roles & Permissions

License Required

The multi-user role-based access control (RBAC) system described on this page is a premium feature that requires a valid Docunara license. Without a license, only the single admin account (defined by ADMIN_EMAIL / ADMIN_PASSWORD) is available. See Licensing for details.

When the database is enabled (DB_ENABLED=true) and a valid license is configured, Docunara uses a role-based access control system to manage what each user can do. There are four predefined roles.

User Roles

RoleCodeUser ManagementDocument AccessDescription
AdminadminAll usersFull accessFull system administration
OperatoroperatorAll except adminFull accessUser management + full document access
Content Operatorcontent_operatorNoneFull accessCan edit all documents
Content Managercontent_managerNoneAssigned scope onlyLimited to specific locales/paths

Admin

The admin role has unrestricted access to everything in the system:

  • Create, edit, and delete all users (including other admins)
  • Access and edit all documents across all locales
  • Manage system settings

Operator

Operators can manage users and access all documents, but they cannot modify admin accounts:

  • Create, edit, and delete users (except admin users)
  • Access and edit all documents across all locales

Content Operator

Content operators have full document access but no user management capabilities:

  • Access and edit all documents across all locales
  • Cannot manage users or system settings

Content Manager

Content managers have the most restricted access — they can only access documents within their assigned scope:

  • Access and edit only the documents they have been granted permission for
  • Cannot manage users or system settings

Permission Scope

Permissions for the content_manager role are defined by three dimensions:

DimensionDescriptionExample
LocaleLanguage/locale restrictionen, ko, or null (all locales)
Document PathFolder path restrictionSigner/, Otpkey/guides/, or null (all documents)
ActionsAllowed operations["read"], ["read", "write"], ["read", "write", "create", "delete"]

Available Actions

ActionDescriptionHTTP Methods
readView documents and folder contentsGET
writeEdit existing documents and foldersPUT, PATCH
createCreate new documents and foldersPOST
deleteDelete documents and foldersDELETE

How Permissions Work

Each content manager can have one or more permission entries. A request is allowed if any permission entry matches the requested locale, document path, and action.

Example permissions for a user:

LocaleDocument PathActions
enSigner/["read", "write", "create"]
koSigner/["read"]
nullOtpkey/guides/["read", "write", "create", "delete"]

This user can:

  • Read, write, and create English documents under Signer/
  • Read Korean documents under Signer/
  • Read, write, create, and delete documents under Otpkey/guides/ in any locale

Path Matching

  • A path like Signer/ grants access to the entire Signer/ directory and all subdirectories
  • A null path grants access to all documents
  • A null locale grants access across all locales

Managing Users

Admins and operators can manage users through the User Management panel in the editor UI:

  • Create new user accounts with a role assignment
  • Edit user details (name, role, active status)
  • Deactivate users without deleting their accounts (set inactive)
  • Reset passwords for other users
  • Delete user accounts

Users can also change their own password from the editor.

Managing Permissions

Admins and operators can manage content_manager permissions through the editor UI:

  1. Open the User Management panel (available to admin and operator roles)
  2. Select a user to view or edit their permissions
  3. Add or remove permission entries specifying locale, document path, and allowed actions
注記

Only content_manager users require explicit permission entries. The admin, operator, and content_operator roles have full document access by default.

Without a License

When no valid license is configured, the RBAC system is not active:

  • Only the single admin account (ADMIN_ID / ADMIN_EMAIL + ADMIN_PASSWORD) can access the editor
  • The admin has full access to all documents
  • User management UI is not available
  • Document search remains available if DB_ENABLED=true