Role Web Access

Control who can access what in your server's configuration. Access rules are assigned to Discord roles and can be scoped broadly to an entire panel or narrowly to a specific item inside a panel.

How role web access works

• Role-scoped: You assign access rules to a Discord role (e.g., @Moderator).
• Panel-level access: Grants Create, Read, Save, and Update for the entire panel.
• Granular (item-level) access: Restricts access to a specific item inside a panel (e.g., a single Onboarding Flow). Create/Save/Update for other items are disabled.

Examples

• Panel-level: Give @Moderator access to the Onboarding Flows panel so they can create, edit, and save any flow.
• Granular: Give @Helper access to only the "Welcome Flow" inside Onboarding Flows. They can view that flow; other create/save/update actions are disabled.

Important risk: misconfiguration can grant admin

Be extremely careful when granting either panel-level or granular access. A poorly configured access rule can allow privilege escalation. Example:

• A staff member with granular access to one Onboarding Flow changes its reward role to Administrator, saves, then completes and approves that flow for themselves in Discord.
• Result: they grant themselves Administrator, gaining access to the entire dashboard.

To prevent this, never allow non-admin roles to edit rewards that can grant powerful roles (e.g., Administrator).

Best practices

• Principle of least privilege: grant only what's needed.
• Separate duties: keep Administrator role rewards and access changes limited to trusted admins.
• Review changes: require a second person to review role-reward updates.
• Avoid admin rewards in onboarding flows: prefer intermediate roles with limited scope.
• Test with a non-staff account to confirm the effective access.

Liability notice

You are responsible for your access rule setup. Misconfiguration can lead to unauthorized access, data changes, or role escalation. InfiniTea is not liable for any damage caused by your configuration choices.