Skip to content

The six roles

TwistCue ships six built-in roles, seeded from packages/contracts/src/rbac.ts (the single source of truth for permissions). Roles are stored in the admin_roles table and can be extended by superadmins; the six below are marked is_system=true and cannot be deleted.

Full access. Bypasses all permission checks (permissions: ['*']).

Who it’s for: The 1–2 people who own the whole stack. Treat as break-glass: day-to-day work should use a scoped role.

  • Everything.
  • Only role that can create/edit/delete other admins and roles.
  • Only role that can approve high-risk actions when no other appropriate approver exists.

Owns catalog, publishing, curation, and push composition.

Permissions: catalog:read/write/delete, publishing:read/write, curation:read/write, users:read, push:read/write, analytics:read.

Can do:

  • Create/edit/delete series, episodes, genres, tropes, cast
  • Upload media (video, posters, captions), retry failed transcodes
  • Schedule and publish episodes; bulk-schedule drops
  • Build the For You feed, edit collections, order the preview-reel, schedule free-today
  • Compose and send push campaigns
  • View analytics (read-only)

Cannot do:

  • Touch wallets, refunds, pricing, or promos
  • Ban/suspend users
  • Moderate comments (needs moderator)
  • Create other admins

Comment & report queues; user bans for behavior.

Permissions: catalog:read, curation:read, users:read/ban, moderation:read/write, analytics:read.

Can do:

  • Work the comments queue (hide, delete, approve, add strikes)
  • Work the reports queue (cascade actions: hide + strike + optional user suspend)
  • Suspend, ban, or reactivate users for policy violations
  • Read the User 360 for context

Cannot do:

  • Anything money-adjacent (view purchases OK via payments:read? No: moderator does not have payments:read; ask a support/finance for a coin refund context).
  • Edit content or curation.

Front-line support: user search, coin adjust (capped), refund requests.

Permissions: catalog:read, users:read/ban, wallet:read/adjust, payments:read, payments:refund_request, analytics:read.

Can do:

  • Look up any user by email/phone/device/id, read the User 360
  • Suspend/ban users (behavior or fraud)
  • Grant coins up to 500 per user per day (server-side cap)
  • Request refunds: routed to finance/superadmin for execution
  • View transactions and purchase history
  • Add support notes

Cannot do:

  • Grant more than 500 coins/user/day (hard-capped in admin-users.service)
  • Grant more than 2000 coins in a single action without approval (falls into the approvals queue automatically)
  • Execute refunds (only payments:refund_request, not payments:refund)
  • Anything content, curation, pricing, or admin management

Read-only analytics and reporting.

Permissions: catalog:read, curation:read, users:read, payments:read, analytics:read, audit:read.

Can do:

  • View every dashboard: overview, revenue, funnel, content drop-off, retention, economy monitor
  • Browse catalog, users, and transactions read-only for context
  • Read the audit log

Cannot do:

  • Anything write. Absolutely nothing mutates from an analyst account.

Payments, refunds, pricing, packages, promos, reconciliation.

Permissions: users:read, wallet:read/adjust, payments:read/refund/refund_request, pricing:read/write, analytics:read, audit:read.

Can do:

  • View transactions across all 5 rails, export CSV
  • Execute refunds: both directly (≤$50) and as approver for the >$50 flow
  • Edit default pricing, market/series/episode price overrides
  • Create/edit coin packages (per-rail SKUs) and promos
  • Upload reconciliation CSVs, view the economy monitor (minted/burned/liability)
  • Adjust coins (no 500/day cap, that’s a support-only rail), but still hits the 2000-coin approval threshold

Cannot do:

  • Publish content or moderate: finance is money-only.

Full breakdown at Permissions matrix.

Permission groupsuperadmincontent_managermoderatorsupportanalystfinance
Catalog CRUD👁👁👁
Publishing
Curation👁👁
Users: view👁👁👁
Users: ban
Wallet adjust✅¹
Payments view
Payments refundreq only
Pricing / promos
Moderation
Push
Analytics
Admins & roles
Audit log👁👁

Legend: ✅ full · 👁 read-only · req only = request refund only · ¹ 500/user/day cap

Superadmins can create additional roles from System → Roles → New. Custom roles pick any subset of the ~30 permissions. Two rules:

  1. Custom role names must be unique and cannot collide with the 6 built-in system role names.
  2. Deleting a role requires reassigning every admin currently on it (the UI walks you through this).