Roles in Rocket.Chat

Roles and permissions are integral to managing access in any digital workspace. Rocket.Chat's comprehensive role-based system allows administrators to assign roles, each with a specific set of permissions, to control user actions and access levels within the workspace.

Role: A role refers to a set of permissions and privileges assigned to a user or a group of users within the workspace. The roles determine the controls and features a user can access or handle in a workspace. By default, roles are displayed as tags beside usernames on messages. (You enable or disable the option to display roles from: Accounts > Default User Preferences > Hide Roles. This affects the entire workspace. On their own accounts, users can set their personal preferences using the Accessibility & appearance settings.)
Permissions: A permission in Rocket.Chat is a specific feature or a setting. By default, different roles have access to different permissions, which you can review and modify.

To view roles and permissions in your workspace, go to Administration > Workspace > Permissions. The Name row displays the roles. The permissions for each role are displayed in the table. You can select and deselect permissions for the roles as you need.

This topic guides you through the categories of roles available in Rocket.Chat and the scope within which the roles can be applied to users.

Scope of Rocket.Chat roles

Some roles in Rocket.Chat are categorized into global and room scopes.

Global scope

Global roles are designed to provide users with permissions that apply to the entire workspace; for example — admin. They can be assigned permissions relevant at the server level and not specific to individual rooms or channels. For example, Create a Team is a permission that is applicable server-wide, enabling users to create teams regardless of the room or channel they are currently in.

Room scope

Room scope roles are designed to provide users with specific permissions within individual rooms, for example - Moderator. Room scope permissions are helpful when managing room-specific activities and interactions. For example, you can assign the Edit Room permission to a Moderator role. A user must be set as a moderator in a room before they can edit that room's information. See Room Roles for details.

While you can globally assign some room roles to a user when creating or editing the user, it takes effect once the role is assigned to that user in a specific room.

Let’s go over the roles available in Rocket.Chat.

Categories of Rocket.Chat roles

The following categories of roles are available in Rocket.Chat:

Administrator role
Workspace user roles
Omnichannel roles
Marketplace roles

Let’s look at the roles for each category.

Rocket.Chat administrator role

A Rocket.Chat administrator has the admin role with the Global scope, which gives full access to the entire Rocket.Chat workspace. Users with this role can manage both workspace administration and omnichannel settings. By default, the first user who registers and logs into the workspace has the admin role.

Rocket.Chat user roles

Rocket.Chat users can have one or more roles, allowing them to perform the various actions granted by the role's permissions.

Role	Scope	Description
`user`	Global	This is the most common role in Rocket.Chat. It serves as a standard role for all workspace members. Users can join rooms, send messages, upload files, and participate in all forms of communication. By default, this role is assigned to new users who join the workspace.
`bot`	Global	Automated users that can be programmed to perform specific tasks, such as sending messages, answering questions, and triggering notifications. This role has some permissions related to bot functionality.
`guest`	Global	Guest users have limited access to your Rocket.Chat workspace. They can only participate in rooms they are a member of. The permissions for this role are not editable.
`anonymous`	Global	Unauthenticated visitors on your Rocket.Chat workspace who do not need to register for the workspace and can access certain public rooms. Anonymous users do not have a specified username. Enable or disable anonymous read and write from the Accounts settings.
`app`	Global	Automated users that are used by Rocket.Chat apps from the Rocket.Chat Marketplace. Depending on the app you install, the app bot can send you instructions on how to configure the app. The app user can also be automatically available on the Users page.
`Owner`	Room	Users who create a room become its owners. The room owner can manage the channel, including controlling access to joining the channel, editing channel settings, and managing messages within the channel. Room owners can set other room members as owners, leaders, and moderators.
`Leader`	Room	You can assign your preferred set of permissions to the room leader for managing the room.
`Moderator`	Room	Moderators can manage messages, delete messages, and ban users from a specific channel. See the Moderation document for details on how to use this feature.
`auditor`	Global	It allows a user to view and audit all messages within the workspace. Users with only the `auditor` role cannot send messages.
`auditor-log`	Global	The `auditor-log` role allows a user to see logs about all audited messages with timestamps and by whom. Users with only the `auditor-log` role cannot send messages.

Rocket.Chat Omnichannel roles

Omnichannel roles allow users to interact with or manage various Omnichannel features.

Role	Scope	Description
`Livechat Agent`	Global	Livechat agents handle inquiries and support requests through Omnichannel.
`Livechat Manager`	Global	Livechat managers can manage agents and all other Omnichannel features.
`livechat-monitor`	Global	Users with the `livechat-monitor` role can view and monitor livechat interactions and analytics.

The administrator role, user roles, and the Omnichannel roles are available in Rocket.Chat workspace by default. To create and manage custom roles with specified permissions tailored to your needs, see custom roles (available on the Enterprise plan).

Rocket.Chat Marketplace roles

Internally, there are two roles for Rocket.Chat marketplace. The first is within the publisher, and the second is within the workspace. Henceforth, they're known as publisher roles and system roles.

Publisher roles

There are three different roles within a publisher, which include the following:

Owner
Developer
Viewer

The Owner role is applied whenever someone creates a publisher. Each of the subsequent roles only applies to people they have invited.

Role	Description
`Publisher: Owner`	The `owner` has the permission to manage everything on the publisher dashboard. It includes managing both apps and other users. To change the role of another user: Click Change Role from the Actions dropdown across the user in question. Select the desired role to change.
`Publisher: Developer`	A user with the `developer` role can read everything and update apps.
`Publisher: Viewer`	The `viewer` role can read everything but can't update anything.

Role

Description

Publisher: Owner

The owner has the permission to manage everything on the publisher dashboard. It includes managing both apps and other users.

To change the role of another user:

Click Change Role from the Actions dropdown across the user in question.
Select the desired role to change.

Publisher: Developer

A user with the developer role can read everything and update apps.

Publisher: Viewer

The viewer role can read everything but can't update anything.

Edit roles

You can edit roles only in the Enterprise plan.

Go to Administration > Workspace > Permissions.

Click the role from the Name row.
Update the Description of the role as required. This is displayed as the role name. If you are editing a custom role, note the following points:
- You cannot edit the custom role name from the workspace. To edit the role name, use the update role endpoint.
- You can update the Scope of custom roles only, not the default roles. Select Rooms or Global as the custom role scope.
- You can delete custom roles only, not the default roles.
Enable the Users must use Two Factor Authentication setting if you want to force the users in this role (custom and default roles) to use 2FA for certain workspace actions, such as logging in or changing certain settings. Make sure that 2FA has been configured in your workspace.
Click Save.

View and assign users to roles

On the Role Editing pane, click Users in Role to see the users who have been assigned to that particular role. You can add more users to the role and delete users from here.

The following screenshot shows an example of the user role:

You need to select a room for the roles with the Room scope. The users with that role in the room are displayed. The following screenshot shows an example of the Moderator role in a room called random:

In this example, search for the user and click Add to give other users the Moderator role in the random room. The user must belong to the selected room before you can assign a role to them.

For information on creating custom roles, see custom roles.
For information on permissions and settings, see permissions.
You can also manage roles and permissions via REST API endpoints. Refer to the Roles API and Permissions API for details.

By offering a variety of predefined roles and the ability to create custom roles, Rocket.Chat ensures that workspace administrators can effectively control and limit user actions.