Rocket Chat User Roles and Permissions

Roles and permissions control what users can do in your workspace. Rocket.Chat uses a role-based system where each role represents a defined set of permissions, and administrators assign roles to users to grant the appropriate level of access.

Role: A named set of permissions assigned to a user or group of users. Roles determine which features and controls a user can access. By default, roles appear as tags next to usernames on messages. To turn this on or off workspace-wide, go to Accounts > Default User Preferences > Hide Roles. Individual users can override this for their own account from Accessibility & appearance settings.
Permission: A specific feature or setting that can be granted to a role. Different roles have different default permissions, which you can review and modify on the Permissions screen.

To view roles and permissions in your workspace, go to Manage → Workspace → Permissions. The screen shows a table where:

Each row is a permission (the Name column lists permission names).
Each column is a role.
Each checkbox indicates whether the role in that column has the permission in that row.

Select or clear checkboxes to grant or revoke permissions for a role.

Scope of Rocket.Chat roles

Roles in Rocket.Chat have either a Global or Room scope.

Global scope

Global roles apply across the entire workspace, for example, admin. They can hold permissions that operate at the server level rather than within a specific room. For example, Create a Team is a global permission that lets a user create teams from anywhere in the workspace.

Room scope

Room-scope roles apply within individual rooms, for example, Moderator. They are useful for managing room-specific activities. For example, you can grant the Edit Room permission to the Moderator role; a user must then be set as a moderator in a specific room before they can edit that room's information. See the Room Roles guide for details.

You can globally assign some room-scope roles to a user when creating or editing the user, but the role only takes effect once the user is also assigned that role within a specific room.

Categories of Rocket.Chat roles

Rocket.Chat provides three built-in categories of roles:

Administrator role
Workspace user roles
Omnichannel roles

Let’s look at the roles for each category.

Administrator role

A Rocket.Chat administrator has the admin role with Global scope, granting full access to the entire workspace. Admins can manage both workspace administration and omnichannel settings. The first user who registers and logs into a new workspace is automatically assigned the admin role.

Workspace user roles

Users can have one or more of the following roles, which together determine what actions they can perform.

Role	Scope	Description
`user`	Global	This is the most common role in Rocket.Chat. It serves as a standard role for all workspace members. Users can join rooms, send messages, upload files, and participate in all forms of communication. By default, this role is assigned to new users who join the workspace.
`bot`	Global	Automated users that can be programmed to perform specific tasks, such as sending messages, answering questions, and triggering notifications. This role has some permissions related to bot functionality.
`guest`	Global	Guest users have limited access to your Rocket.Chat workspace. They can only participate in rooms they are a member of. The permissions for this role are not editable.
`anonymous`	Global	Unauthenticated visitors on your Rocket.Chat workspace who do not need to register for the workspace and can access certain public rooms. Anonymous users do not have a specified username. Enable or disable anonymous read and write from the Accounts settings.
`app`	Global	Automated users that are used by Rocket.Chat apps from the Rocket.Chat Marketplace. Depending on the app you install, the app bot can send you instructions on how to configure the app. The app user can also be automatically available on the Users page.
`Moderator`	Room	Moderators can manage messages, delete messages, and ban users from a specific channel. See the Moderation document for details on how to use this feature.
`Leader`	Room	You can assign your preferred set of permissions to the room leader for managing the room.
`Owner`	Room	Users who create a room become its owners. The room owner can manage the channel, including controlling access to joining the channel, editing channel settings, and managing messages within the channel. Room owners can set other room members as owners, leaders, and moderators.
`auditor`	Global	It allows a user to view and audit all messages within the workspace. Users with only the `auditor` role cannot send messages.
`auditor-log`	Global	The `auditor-log` role allows a user to see logs about all audited messages with timestamps and by whom. Users with only the `auditor-log` role cannot send messages.
`External Federated User`	Global	A dedicated role assigned to remote users connecting to your workspace through Federation. Previously, remote federated users were granted the `user` role, which coupled different user personas under the same set of permissions. The dedicated role separates federated users from local users so permissions can be tuned independently for each persona.

Omnichannel roles

Omnichannel roles let users interact with or manage Omnichannel features.

Role	Scope	Description
`Livechat Agent`	Global	Handles inquiries and support requests through Omnichannel.
`Livechat Manager`	Global	Manages agents and all other Omnichannel features.
`livechat-monitor`	Global	Views and monitors Livechat interactions and analytics.

The administrator role, user roles, and Omnichannel roles are available by default in every Rocket.Chat workspace. To create roles tailored to your needs, see the Custom Roles guide (available on the Enterprise plan).

Edit roles

To edit a role:

Go to Manage → Workspace → Permissions.
Click the pencil icon next to the role name in the column header. The Role Editing panel opens.
Update the available fields, then click Save.

The following fields are shown in the Role Editing panel:

Field	Editable for default roles	Editable for custom roles	Description
Role	No	No	The role's internal identifier (for example, `admin`). To change a role's name, use the update role endpoint.
Description	Yes	Yes	The label shown to users (for example, `Admin`). Leave this field blank if you do not want the role to be displayed.
Scope	No	Yes	Determines whether the role applies workspace-wide (Global) or only inside specific rooms (Rooms). Editable only for custom roles.
Users must use Two Factor Authentication	Yes	Yes	When enabled, users with this role must use 2FA for certain workspace actions, such as logging in or changing settings. Make sure 2FA is configured in your workspace.

Custom roles can also be deleted from this panel. Default roles cannot be deleted.

View and assign users to roles

To see which users are assigned to a role, click Users in role at the bottom of the Role Editing panel. From this view you can also add users to the role or remove them.

The following screenshot shows an example of the user role:

For room-scope roles, you must first select a room. The list then shows users who hold that role in the selected room. The user must already be a member of the room before you can assign them a room-scope role.

The following screenshot shows the Moderator role in a room called random:

In this example, search for the user and click Add to give other users the Moderator role in the random room. The user must belong to the selected room before you can assign a role to them.

For information on creating custom roles, see Custom Roles.
For information on permissions and settings, see Permissions.
Roles and permissions can also be managed via the REST API. See the Roles API and Permissions API for details.