Nanami DocsGuide
Search docsComing soon

Access control

Access control

Nanami uses two layers of access control:

  1. Account roles — built-in roles on the user record.
  2. RBAC roles — scoped roles (tenant/group) that grant permission keys.

Account roles

  • super_admin — full access across tenants (SaaS).
  • admin — tenant-level admin access.
  • member — default user role.

Account roles control platform-level operations (bootstrap, SSO, billing).

RBAC roles and permissions

RBAC roles define permission keys such as:

  • network.read, network.write
  • relay.read, relay.write
  • agents.read, agents.update
  • membership.manage

Roles are scoped:

  • Global: system-wide.
  • Tenant: within a tenant.
  • Group: within a specific group.

Managing users & access

In the WebUI:

  • Go to Users & Access.
  • Assign users to groups.
  • Add tenant roles or group roles (SaaS).
  • Use reset password when onboarding users.

Community vs SaaS

  • Community: RBAC assignments work, but role/permission editor endpoints are disabled. Local admins act like tenant admins in the single default tenant.
  • SaaS: super admins manage platform-wide resources; tenant admins manage RBAC within their tenant.

RBAC boundaries

  • Tenant admins cannot grant super_admin or global-scope permissions.
  • Tenant admins cannot remove the last active tenant admin.
  • System roles are immutable; custom roles are tenant- or group-scoped.

See the Roadmap for upcoming improvements.