The six roles
TwistCue ships six built-in roles, seeded from packages/contracts/src/rbac.ts (the single source of truth for permissions). Roles are stored in the admin_roles table and can be extended by superadmins; the six below are marked is_system=true and cannot be deleted.
superadmin
Section titled “superadmin”Full access. Bypasses all permission checks (
permissions: ['*']).
Who it’s for: The 1–2 people who own the whole stack. Treat as break-glass: day-to-day work should use a scoped role.
- Everything.
- Only role that can create/edit/delete other admins and roles.
- Only role that can approve high-risk actions when no other appropriate approver exists.
content_manager
Section titled “content_manager”Owns catalog, publishing, curation, and push composition.
Permissions: catalog:read/write/delete, publishing:read/write, curation:read/write, users:read, push:read/write, analytics:read.
Can do:
- Create/edit/delete series, episodes, genres, tropes, cast
- Upload media (video, posters, captions), retry failed transcodes
- Schedule and publish episodes; bulk-schedule drops
- Build the For You feed, edit collections, order the preview-reel, schedule free-today
- Compose and send push campaigns
- View analytics (read-only)
Cannot do:
- Touch wallets, refunds, pricing, or promos
- Ban/suspend users
- Moderate comments (needs
moderator) - Create other admins
moderator
Section titled “moderator”Comment & report queues; user bans for behavior.
Permissions: catalog:read, curation:read, users:read/ban, moderation:read/write, analytics:read.
Can do:
- Work the comments queue (hide, delete, approve, add strikes)
- Work the reports queue (cascade actions: hide + strike + optional user suspend)
- Suspend, ban, or reactivate users for policy violations
- Read the User 360 for context
Cannot do:
- Anything money-adjacent (view purchases OK via
payments:read? No: moderator does not havepayments:read; ask a support/finance for a coin refund context). - Edit content or curation.
support
Section titled “support”Front-line support: user search, coin adjust (capped), refund requests.
Permissions: catalog:read, users:read/ban, wallet:read/adjust, payments:read, payments:refund_request, analytics:read.
Can do:
- Look up any user by email/phone/device/id, read the User 360
- Suspend/ban users (behavior or fraud)
- Grant coins up to 500 per user per day (server-side cap)
- Request refunds: routed to finance/superadmin for execution
- View transactions and purchase history
- Add support notes
Cannot do:
- Grant more than 500 coins/user/day (hard-capped in
admin-users.service) - Grant more than 2000 coins in a single action without approval (falls into the approvals queue automatically)
- Execute refunds (only
payments:refund_request, notpayments:refund) - Anything content, curation, pricing, or admin management
analyst
Section titled “analyst”Read-only analytics and reporting.
Permissions: catalog:read, curation:read, users:read, payments:read, analytics:read, audit:read.
Can do:
- View every dashboard: overview, revenue, funnel, content drop-off, retention, economy monitor
- Browse catalog, users, and transactions read-only for context
- Read the audit log
Cannot do:
- Anything write. Absolutely nothing mutates from an analyst account.
finance
Section titled “finance”Payments, refunds, pricing, packages, promos, reconciliation.
Permissions: users:read, wallet:read/adjust, payments:read/refund/refund_request, pricing:read/write, analytics:read, audit:read.
Can do:
- View transactions across all 5 rails, export CSV
- Execute refunds: both directly (≤$50) and as approver for the >$50 flow
- Edit default pricing, market/series/episode price overrides
- Create/edit coin packages (per-rail SKUs) and promos
- Upload reconciliation CSVs, view the economy monitor (minted/burned/liability)
- Adjust coins (no 500/day cap, that’s a support-only rail), but still hits the 2000-coin approval threshold
Cannot do:
- Publish content or moderate: finance is money-only.
The default role matrix at a glance
Section titled “The default role matrix at a glance”Full breakdown at Permissions matrix.
| Permission group | superadmin | content_manager | moderator | support | analyst | finance |
|---|---|---|---|---|---|---|
| Catalog CRUD | ✅ | ✅ | 👁 | 👁 | 👁 | – |
| Publishing | ✅ | ✅ | – | – | – | – |
| Curation | ✅ | ✅ | 👁 | – | 👁 | – |
| Users: view | ✅ | 👁 | ✅ | ✅ | 👁 | 👁 |
| Users: ban | ✅ | – | ✅ | ✅ | – | – |
| Wallet adjust | ✅ | – | – | ✅¹ | – | ✅ |
| Payments view | ✅ | – | – | ✅ | ✅ | ✅ |
| Payments refund | ✅ | – | – | req only | – | ✅ |
| Pricing / promos | ✅ | – | – | – | – | ✅ |
| Moderation | ✅ | – | ✅ | – | – | – |
| Push | ✅ | ✅ | – | – | – | – |
| Analytics | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
| Admins & roles | ✅ | – | – | – | – | – |
| Audit log | ✅ | – | – | – | 👁 | 👁 |
Legend: ✅ full · 👁 read-only · req only = request refund only · ¹ 500/user/day cap
Custom roles
Section titled “Custom roles”Superadmins can create additional roles from System → Roles → New. Custom roles pick any subset of the ~30 permissions. Two rules:
- Custom role names must be unique and cannot collide with the 6 built-in system role names.
- Deleting a role requires reassigning every admin currently on it (the UI walks you through this).