Can a user have multiple roles?

Yes. A user can be assigned multiple roles, and their effective permissions are the union of all assigned roles' permissions. This is useful for users who span multiple responsibilities.

What happens if I remove a user's role?

Removing a role immediately revokes the associated permissions. The user can no longer perform actions granted by that role. Any active sessions are updated on the next request without requiring the user to log out.

Can I create temporary roles for contractors?

Yes. Create a role with an expiration date for temporary team members. When the date passes, the role is automatically deactivated and the user loses access. This eliminates the risk of forgotten contractor accounts.

Security

Access Control: Role-Based Permissions

Implement role-based access control so every team member has precisely the permissions they need to work with your OpenClaw agent, nothing more.

Deploy OpenClaw See How It Works

What You Will Get

By the end of this guide, your OpenClaw agent will have a role-based access control system that ensures every team member has the right level of access. Administrators can manage everything, operators can monitor and adjust, and viewers can only read. No one has more access than they need.

Access control is a fundamental security practice. Without it, any team member can modify the agent's system prompt, view sensitive conversations, or revoke API keys. RBAC limits these capabilities to authorized individuals, reducing the risk of accidental or intentional misuse.

You will define roles, assign permissions to each role, create user accounts, and audit access patterns. The result is a secure, well-organized team structure where everyone can do their job effectively without unnecessary risk.

Step-by-Step Setup

Follow these steps to implement role-based access control.

Plan Your Role Structure

Before creating roles, list all the actions users need to perform: viewing conversations, editing prompts, managing skills, accessing API keys, viewing analytics, and managing team members. Group these actions into logical roles like Admin, Editor, Operator, and Viewer.

Create Custom Roles

Open the Access Control panel in your RunTheAgent dashboard. Click Create Role and define each role with a name, description, and list of permissions. Start with the most restrictive role (Viewer) and add permissions incrementally for higher roles. This ensures no role has unnecessary access.

Assign Permissions to Roles

For each role, toggle the specific permissions it should have. Permissions include: view conversations, edit agent configuration, manage skills, manage API keys, view analytics, manage team members, and access security settings. Review each permission carefully and assign only what the role requires.

Invite Team Members

Go to the Team Members section and invite users by email. Assign each user to the appropriate role. The invitation email includes a link to set up their account. Until they accept, their invitation shows as pending in the team list.

Configure Role Inheritance

If your organization has a hierarchical structure, configure role inheritance so higher roles automatically include all permissions of lower roles. For example, an Admin inherits all Editor permissions, and an Editor inherits all Viewer permissions. This simplifies management as your team grows.

Test Access for Each Role

Log in as a user with each role and verify they can perform their expected actions and cannot access restricted features. Test edge cases like trying to revoke an API key as a Viewer or editing a prompt as an Operator. Every denied action should show a clear permission error.

Enable Access Auditing

Turn on access auditing to log every permission check, successful or denied. Review the audit log monthly to verify that roles are correctly assigned and that no user is being blocked from actions they need. The audit log also helps detect unauthorized access attempts.

Tips and Best Practices

Follow the Principle of Least Privilege

Assign the minimum permissions each user needs. It is easier to grant additional access on request than to revoke access after an incident. Start restrictive and relax only when justified.

Review Roles Quarterly

Team structures change over time. Review role assignments every quarter to ensure they still match each person's actual responsibilities. Remove access for people who have changed roles or left the team.

Use Separate Accounts for Admin Tasks

If you are both a developer and an admin, consider using separate accounts for each role. This prevents accidental admin actions during daily development work and creates a clearer audit trail.

Document Your Role Definitions

Maintain a document that describes each role, its permissions, and who should be assigned to it. This reference helps during onboarding and role reviews. Store it alongside your other security documentation.

Frequently Asked Questions

API Key Rotation Audit Logging Setup Two-Factor Authentication

Ready to get started?

Deploy your own OpenClaw instance in under 60 seconds. No VPS, no Docker, no SSH. Just your personal AI assistant, ready to work.

Deploy OpenClaw View Pricing

Starting at $24.50/mo. Everything included. 3-day money-back guarantee.