Roles and Permissions
This guide explains what each role can do and why some actions are intentionally restricted.
Community Roles
| Role | Main Use | Key Powers | Key Restrictions |
|---|---|---|---|
OWNER | Final authority | Full control, ownership transfer, destructive actions | Cannot leave while still owner |
ADMIN | Governance operator | Settings, branding, roles, invites, moderation | No ownership transfer |
MANAGER | Event operations lead | Event lifecycle, tickets, attendance ops, updates | No full hub governance |
MEMBER | Standard participant | Join events, hold/transfer tickets, chat where allowed | No admin controls |
Event Staff Permissions (Event-Scoped)
Event staff can be assigned explicit permissions per event, such as:
SCAN_TICKETSVIEW_ATTENDEE_LISTEDIT_EVENTMANAGE_TICKETSISSUE_COMP_TICKETSOVERRIDE_CONSENT
This allows event-day delegation without granting full hub governance.
Who Should Have Which Role?
- Use
OWNERfor very small trusted count. - Use
ADMINfor people responsible for hub governance. - Use
MANAGERfor reliable event operators. - Use event staff permissions when someone should operate one event only.
Practical Capability Matrix
| Capability | OWNER | ADMIN | MANAGER | Event Staff (with permission) |
|---|---|---|---|---|
| Hub branding/settings/roles | Yes | Yes | No | No |
| Hub invite governance | Yes | Yes | Limited by policy | No |
| Event create/edit/publish | Yes | Yes | Yes | Limited |
| Ticket operations/refunds/comps | Yes | Yes | Yes | Limited |
| Scanner validation | Yes | Yes | Yes | Yes (SCAN_TICKETS) |
| Consent override at scanner | Yes | Yes | No | Yes (OVERRIDE_CONSENT) |
Why You Sometimes See 404 Instead of 403
HubIRL uses privacy-by-default for sensitive resources:
404can mean “not found” or “not allowed to know this exists”.- This prevents existence leakage of private hubs, events, and records.
Permission Debug Checklist
- Confirm active hub context.
- Confirm your hub role in that hub.
- If event-scoped, confirm event staff permissions.
- Confirm whether route is governance-level or operations-level.
- Capture URL + role + exact error text if still blocked.
Related Guides
Last updated on