Advanced permissions: backend infrastructure
Available on all plans
Cloud and self-hosted deployments
This document outlines the backend server infrastructure for permissions in Mattermost and is recommended only for technical Admins or developers looking to make modifications to their installation.
Note
The contents of this document apply from Mattermost Server v5.0.
Entity definitions
Permissions
A permission describes a permitted action which may be carried out on an object. It describes the action that users may perform in the context in which they have been assigned the role granting the permission.
Roles
A role is something to which permissions are granted, that is then assigned to users in contexts in order to grant them the assigned permissions in that context. One user may end up with different sets of permissions granted by different roles in different contexts.
Scope
Permissions live within a given scope. There are three scopes in the Mattermost system: System, Team and Channel. Permissions cascade down the scopes from the context in which they are applied. For example, if a “Channel” scoped permission is applied to a “Team” context, the permission applies to any channels within that team. A permission is considered,
System scope if it makes sense only on the system level. For example,
manage_oauth
.Team scope if it makes sense at the team level and system level. For example,
create_public_channel
.Channel scope if it makes sense at channel, team and system level. For example,
manage_public_channel_properties
.
Context
A context is an instance of a scope. For example, a channel called “Developers Hangout” is an instance of channel scope. Contexts have hierarchical relationships between them that reflect the hierarchical ordering of scopes. Each context has one parent, and may have multiple children, with the ultimate parent context being the system context:
A channel context has a parent team context, whose parent is the system context. For example, the “Developers Hangout” channel is the channel context, with parent team context “Contributors Team”, with parent system context.
A team context has a parent system context and child channel contexts. For example, the “Contributors Team” is the team context, with parent system context, and with children channel contexts such as “Developers Hangout”, “Reception” and “Marketing”.
When determining whether a user is allowed to carry out a given action in a given context, the union of the permissions of all roles that user has been assigned in the current context and its parent contexts is calculated. This enables permissions to cascade down the scope hierarchy. For example, if a users is granted the manage_public_channel_properties
permission in a role in the system context, then the user has permissions to manage public channel properties in all channels, in all teams, of which they are a member.
Schemes
Schemes describe the default roles applied to users in a context, and all child contexts. Schemes are either defined specifically for a context, or if they are not specified, the relevant parts of the parent context’s scheme are applied, ultimately climbing the hierarchy to the System Scheme, which serves the purpose of providing the system-wide defaults. For example, if Team A does not have a team-scoped scheme defined, the System Scheme will provide the defaults for all contexts in Team A.
Additionally, the lowest-scoped scheme always takes precedence in the context. For example, if Team B has a team-scoped scheme, that scheme takes precedence over the System Scheme defaults for all contexts in Team B.
Data structure
Permissions
Permissions in Mattermost are a property of the server code base and are not created or modified dynamically. The current set of permissions are as described in the table below.
Mattermost permissions
Name (i18n) |
Scope |
Description |
---|---|---|
invite_user |
team |
Invite users to the team using Send Email Invite or Get Team Invite Link. |
add_user_to_team |
team |
Add existing server users to the current team. |
use_slash_commands |
channel |
Use slash commands. |
manage_slash_commands |
system |
Create, edit, and delete your own slash commands. |
manage_others_slash_commands |
system |
Edit or delete other users’ slash commands. |
create_public_channel |
team |
Create public channels. |
create_private_channel |
team |
Create private channels. |
manage_public_channel_members |
channel |
Manage public channel members. |
manage_private_channel_members |
channel |
Manage private channel members. |
assign_system_admin_role |
system |
Grant other users the System Admin role. |
manage_roles |
system |
Manage other users’ system-wide roles. |
manage_team_roles |
team |
Add and remove team members. |
manage_channel_roles |
channel |
Add and remove channel members. |
manage_system |
system |
Access to System Console. |
sysconsole_read_usermanagement_system_roles |
system |
View system roles. |
sysconsole_write_usermanagement_system_roles |
system |
Add, remove, and assign system roles. |
create_direct_channel |
system |
Open Direct Message channels. |
create_group_channel |
system |
Open Group Message channels. |
manage_public_channel_properties |
channel |
Edit public channel name, header, and purpose. |
manage_private_channel_properties |
channel |
Edit private channel name, header, and purpose. |
list_public_teams |
system |
View public teams listed in the “Join Another Team” menu accessed from the main menu. |
join_public_teams |
system |
Join public teams listed in the “Join Another Team” menu accessed from the main menu. |
list_private_teams |
system |
View private teams listed in the “Join Another Team” menu accessed from the main menu. |
join_private_teams |
system |
Join private teams listed in the “Join Another Team” menu accessed from the main menu. |
list_team_channels |
team |
List public channels in a team. |
join_public_channels |
team |
Join public channels. |
delete_public_channel |
channel |
Archive public channels. |
delete_private_channel |
channel |
Archive private channels. |
edit_other_users |
system |
Edit values on the user object of other users. |
read_channel |
channel |
View posts in a channel. |
read_public_channel |
team |
View and access public channels on a team. |
add_reaction |
channel |
Add emoji reactions to posts. |
remove_reaction |
channel |
Remove emoji reactions from posts. |
remove_others_reactions |
channel |
Remove other users emoji reactions from posts. |
permanent_delete_user (deprecated) |
system |
Permanently delete other users. |
upload_file |
channel |
Upload file attachments to posts. |
get_public_link |
system |
Get permalink for posts. |
manage_incoming_webhooks |
team |
Create, edit, and delete your own incoming webhooks. |
manage_outgoing_webhooks |
team |
Create, edit, and delete your own outgoing webhooks. |
manage_others_webhooks(deprecated) |
team |
Edit and delete other users’ incoming or outgoing webhooks. |
manage_others_incoming_webhooks |
team |
Edit and delete other users’ incoming webhooks. |
manage_others_outgoing_webhooks |
team |
Edit and delete other users’ outgoing webhooks. |
manage_oauth |
system |
Create, edit, and delete your own OAuth 2.0 apps. |
manage_system_wide_oauth |
system |
Edit or delete other users’ OAuth 2.0 apps. |
create_post |
channel |
Post in channels. |
create_post_public |
channel |
Create a system message within a channel. |
create_post_ephermal |
channel |
Create an ephemeral message within a channel. |
edit_post |
channel |
Authors edit their own posts. Edit post time limit is controlled by the |
edit_others_posts |
channel |
Edit other users’ posts. |
delete_post |
channel |
Authors delete their own posts. |
delete_others_posts |
channel |
Delete other users’ posts. |
remove_user_from_team |
team |
Remove users from team. |
create_team |
system |
Create teams. |
manage_team |
team |
Access Team Settings. |
import_team |
system |
Import teams in Team Settings. |
view_team |
team |
Read the Team object. |
create_bot |
team |
Create bot accounts. |
assign_bot |
team |
Assign bots to users other than who created the bot. |
read_bot |
team |
View own bots created. |
read_others_bots |
team |
View bots created by others. |
manage_bots |
team |
Edit and delete own bots. |
manage_others_bots |
team |
Edit and delete bots created by others. |
view_members |
team |
List all members on the team. |
list_users_without_team |
system |
List users without a team. |
create_user_access_token |
system |
Create user access tokens. |
read_user_access_token |
system |
Read user access tokens by ID. |
revoke_user_access_token |
system |
Revoke user access tokens. |
manage_jobs |
system |
Create and cancel jobs. |
create_emojis |
team |
Create custom emoji. |
delete_emojis |
team |
Delete own custom emoji. |
delete_others_emojis |
team |
Delete custom emoji created by others. |
invite_guest |
system |
Invite guest users via email invite or add existing guests to teams. |
promote_guest |
system |
Promote guests to member users. |
demote_to_guest |
system |
Demote member users to guests. |
manage_remote_clusters |
system |
Add, remove, and view remote clusters for shared channels. |
Roles
field
Roles are applied to objects that represents that user’s membership in a context. These are referenced in the Roles
field of the User
, TeamMember
, ChannelMember
and Schemes
Tables.
In the TeamMember
and ChannelMember
tables, it’s the Roles
field that contains custom roles and the SchemeAdmin
and SchemeUser
booleans that indicate the member object should inherit the respective roles from the relevant scheme, either the default or custom scheme assigned to the relevant team.
Roles
table
Roles are dynamic and user configurable, necessitating a database table with the following fields:
Id
(Autoincrement, Primary Key)Name
(Unique String with Character Constraints, e.g. “team_user”).Display Name
(String)Description
(String)Permissions
(String): Space-separated permissions namesScheme Managed
(bool): Indicates whether this role is managed as part of a scheme.BuiltIn
(bool): Indicates if this role is built-in to the Mattermost system and not removable by the user.
Built-in roles
The System Scheme is built-in to the product, and its roles are defined as BuiltIn: true
in the Roles
table. You can use the Mattermost API to retrieve a list of permissions by role name.
The following built-in roles and associated permissions are available:
channel_admin
manage_private_channel_members
read_public_channel_groups
use_channel_mentions
create_post
use_group_mentions
add_reaction
read_private_channel_groups
remove_reaction
manage_public_channel_members
manage_channel_roles
channel_guest
use_slash_commands
read_channel
add_reaction
remove_reaction
upload_file
edit_post
create_post
use_channel_mentions
channel_user
manage_public_channel_properties
use_group_mentions
add_reaction
delete_private_channel
manage_private_channel_members
read_private_channel_groups
delete_public_channel
read_public_channel_groups
use_channel_mentions
read_channel
delete_post
get_public_link
remove_reaction
manage_public_channel_members
use_slash_commands
upload_file
manage_private_channel_properties
create_post
edit_post
system_admin
manage_others_slash_commands
sysconsole_write_user_management_permissions
edit_brand
remove_reaction
manage_incoming_webhooks
sysconsole_write_user_management_groups
create_public_channel
manage_private_channel_members
sysconsole_write_authentication
join_private_teams
create_post_ephemeral
list_users_without_team
sysconsole_write_reporting
join_public_channels
invite_guest
list_private_teams
sysconsole_write_user_management_channels
manage_others_bots
read_user_access_token
add_user_to_team
view_members
edit_post
demote_to_guest
delete_others_posts
sysconsole_write_plugins
delete_private_channel
sysconsole_read_user_management_system_roles
sysconsole_read_user_management_users
revoke_user_access_token
read_others_bots
read_public_channel_groups
sysconsole_write_user_management_teams
sysconsole_write_billing
convert_public_channel_to_private
remove_user_from_team
manage_team
add_reaction
manage_oauth
list_team_channels
create_team
read_jobs
invite_user
manage_shared_channels
remove_others_reactions
manage_remote_clusters
sysconsole_write_user_management_users
sysconsole_read_experimental
sysconsole_write_compliance
edit_others_posts
assign_bot
manage_bots
manage_others_outgoing_webhooks
manage_system_wide_oauth
delete_others_emojis
manage_others_incoming_webhooks
promote_guest
sysconsole_write_experimental
sysconsole_read_plugins
create_group_channel
sysconsole_read_environment
manage_roles
use_channel_mentions
manage_public_channel_properties
manage_channel_roles
get_public_link
sysconsole_read_billing
sysconsole_write_integrations
download_compliance_export_result
manage_slash_commands
assign_system_admin_role
create_post
delete_post
create_direct_channel
list_public_teams
create_post_public
read_private_channel_groups
sysconsole_read_integrations
read_other_users_teams
manage_jobs
sysconsole_read_site
manage_outgoing_webhooks
sysconsole_write_environment
manage_system
sysconsole_read_user_management_permissions
manage_public_channel_members
sysconsole_write_about
import_team
sysconsole_write_user_management_system_roles
sysconsole_read_reporting
upload_file
read_channel
sysconsole_read_user_management_teams
delete_emojis
manage_private_channel_properties
view_team
sysconsole_read_user_management_groups
create_private_channel
create_bot
join_public_teams
delete_public_channel
read_public_channel
sysconsole_read_about
use_slash_commands
read_bots
sysconsole_read_authentication
edit_other_users
sysconsole_read_user_management_channels
convert_private_channel_to_public
use_group_mentions
create_user_access_token
sysconsole_write_site
manage_team_roles
sysconsole_read_compliance
create_emojis
system_custom_group_admin
create
edit
delete
manage members
restore
system_guest
create_group_channel
create_direct_channel
system_manager
sysconsole_write_user_management_permissions
sysconsole_read_about
sysconsole_read_user_management_channels
join_private_teams
delete_private_channel
view_team
read_jobs
sysconsole_read_user_management_teams
sysconsole_read_plugins
manage_channel_roles
manage_public_channel_members
remove_user_from_team
sysconsole_read_environment
list_private_teams
manage_private_channel_members
manage_private_channel_properties
edit_brand
add_user_to_team
convert_public_channel_to_private
read_private_channel_groups
sysconsole_write_environment
manage_jobs
sysconsole_read_reporting
read_public_channel
manage_team
read_channel
convert_private_channel_to_public
sysconsole_read_integration
read_public_channel_groups
list_public_teams
manage_team_roles
sysconsole_read_user_management_groups
manage_public_channel_properties
sysconsole_write_user_management_groups
sysconsole_read_user_management_permissions
sysconsole_write_site
sysconsole_read_site
sysconsole_write_user_management_channels
sysconsole_write_integrations
delete_public_channel
sysconsole_write_user_management_teams
join_public_teams
system_post_all
create_post
use_channel_mentions
use_group_mentions
system_post_all_public
create_post_public
use_group_mentions
use_channel_mentions
system_read_only_admin
sysconsole_read_compliance
read_other_users_teams
sysconsole_read_reporting
list_private_teams
sysconsole_read_experimental
read_jobs
read_public_channel
view_team
sysconsole_read_user_management_users
sysconsole_read_plugins
sysconsole_read_user_management_teams
read_public_channel_groups
sysconsole_read_user_management_channels
sysconsole_read_user_management_permissions
sysconsole_read_about
download_compliance_export_result
read_channel
sysconsole_read_authentication
sysconsole_read_site
list_public_teams
sysconsole_read_integrations
read_private_channel_groups
sysconsole_read_environment
sysconsole_read_user_management_groups
system_user
list_public_teams
join_public_teams
create_direct_channel
create_group_channel
view_members
create_team
create_emojis
delete_emojis
system_user_access_token
create_user_access_token
read_user_access_token
revoke_user_access_token
system_user_manager
manage_public_channel_members
sysconsole_write_user_management_groups
manage_private_channel_properties
read_channel
sysconsole_read_authentication
manage_private_channel_members
read_jobs
view_team
sysconsole_read_user_management_groups
list_private_teams
join_public_teams
manage_team
list_public_teams
add_user_to_team
sysconsole_read_user_management_channels
sysconsole_write_user_management_teams
read_public_channel
sysconsole_read_user_management_permissions
manage_public_channel_properties
join_private_teams
convert_public_channel_to_private
manage_channel_roles
sysconsole_read_user_management_teams
convert_private_channel_to_public
read_public_channel_groups
delete_public_channel
remove_user_from_team
manage_team_roles
delete_private_channel
sysconsole_write_user_management_channels
read_private_channel_groups
team_admin
remove_user_from_team
manage_others_slash_commands
manage_team_roles
manage_public_channel_members
use_group_mentions
manage_others_outgoing_webhooks
manage_slash_commands
manage_team
manage_others_incoming_webhooks
manage_channel_roles
read_public_channel_groups
convert_private_channel_to_public
remove_reaction
delete_post
manage_outgoing_webhooks
use_channel_mentions
manage_incoming_webhooks
delete_others_posts
read_private_channel_groups
create_post
manage_private_channel_members
convert_public_channel_to_private
add_reaction
import_team
team_guest
view_team
team_post_all
create_post
use_group_mentions
use_channel_mentions
team_post_all_public
use_group_mentions
create_post_public
use_channel_mentions
team_user
invite_user
add_user_to_team
list_team_channels
join_public_channels
read_public_channel
view_team
create_public_channel
create_private_channel
Schemes
table
Schemes are dynamic and user configurable, necessitating a database table with the following fields:
Id
(Autoincrement, Primary Key)Name
(Unique String with Character Constraints, e.g. “corporate_scheme”)Display
NameDescription
(String)Scope
(String): Team or ChannelTeam Admin Role
(String): Empty if Channel ScopeTeam User Role
(String): Empty if Channel ScopeTeam Guest Role
(String): Empty if Channel ScopeChannel Admin Role
(String): Always providedChannel User Role
(String): Always providedChannel Guest Role
(String): Always provided