Skip to content
Sign inStart in 5 min
02 · ROLES

Forty toggles. One resolver.

Custom roles, custom names, custom colours. Auto-promotion. Per-category overrides. Self-assignable opt-in roles.

Forty permission keys, an open role model, and a resolver that always shows its work.

PERMISSION CATALOGUE40 permission keys, 8 categories
mock
POSTSThreads — who can write them, edit them, pin them, lock them.
ANATOMY
  1. 01

    Forty permission keys

    Shipped

    Grouped into eight categories: posts (7), comments (6), reactions (3), moderation (8), settings (6), roles (4), domain (3), billing (3). Every key is independently grantable; no enum locks two unrelated capabilities together.

  2. 02

    Custom names + colours

    Shipped

    Rename "Moderator" to "Vigil". Call new members "Lanterns". Pick any spot colour. The role's name and tint show in post bylines, the member list, and the mod HUD.

  3. 03

    Per-category overrides

    Shipped

    One role can behave differently in #announcements than it does in #lounge. Override the grant or the deny; the resolver tells you exactly which override is in effect for any (member, channel, permission) triple.

  4. 04

    Auto-promotion

    Shipped

    Set a rule on any role — "30+ days since joining AND 10+ threads posted" — and a nightly job promotes everyone who meets it. Four measurable axes: days, threads, comments, reactions. Stack up to eight criteria with all or any.

  5. 05

    Self-assignable roles

    Shipped

    Members give themselves opt-in flags — "I'm a developer", "Beta tester", pronoun preferences, colour groups. The owner picks which roles are self-assignable; staff roles never are.

  6. 06

    The Why? debugger

    Shipped

    Pick a member, pick a permission. The resolver shows every role they hold, every grant, every deny, every override, and the final resolved state — with the audit-log row that explains how they got there. Cuts support time on "why can't I' questions in half.

UNDER THE HOOD
  1. 01Permissions resolve at request time, cached per session for the life of the request.
  2. 02The cache busts on role change for the affected member only — no global flush, no stampede.
  3. 03Every assignment (manual or auto-promoted) writes to the audit log, with the rule snapshot attached.
  4. 04The Why? debugger replays the resolution against the live audit log so you can answer the question six months later.
  5. 05The nightly auto-promotion job runs at 06:00 UTC and sends an in-app notification to every promoted member.
WHAT THIS ISN'T
  • No auto-revoke

    Once promoted, members keep the role until you remove them by hand. Demotion-by-inactivity is the kind of feature that goes wrong in interesting ways; we left it off deliberately.

  • No auto-promote into staff

    Owner / Admin / Moderator roles can't carry promotion rules. Activity-based access to moderation powers is the wrong default — use per-category overrides instead.

  • Daily promotion, not real-time

    The nightly job is easier to reason about than a stream of intra-day promotions. Sub-daily activity wouldn't materially change who hits the bar.

SEE ALSO
The Council
Proposals use role-based eligibility — Trusted votes count, Member votes don't (or do, your call).
The Roles redesign
The story of how the V3 roles UI went from spreadsheet to in-context.
vs Discourse
Discourse has trust levels. We have roles. The difference matters.
Try it in your forum