Roles & Permissions
Complete reference of the four roles and what each role can access — covering admin pages, API endpoints, and data operations.
Role Overview
BABEH has four built-in roles. Each role provides a predefined set of permissions that cannot be customized per-user.
| Role | Purpose | Typical User |
|---|---|---|
| superadmin | Full system access — user management, schema mutations, activity logs, VectorDB viewer | System administrator, DevOps |
| manager | Content management + all analytics + settings + schema read | Product manager, team lead |
| analyst | Read-only analytics, query history, settings, debug search | Data analyst, QA engineer |
| editor | Content authoring — knowledge base, pricing, product specs | Content writer, data entry |
Role Hierarchy
Roles follow a hierarchy where higher roles inherit all permissions of the roles below them. Manager combines analyst + editor capabilities, while Superadmin adds administrative powers on top.
superadmin
├── Everything manager can do
├── User CRUD (create/list/update/delete other users)
├── Activity Log viewer
├── VectorDB viewer (info/records/sources)
└── Schema mutations (add/edit/rename/remove fields, rebuild)
manager
├── Everything analyst can do
├── Everything editor can do
└── Schema read (view schema, history, diff, rebuild-status)
analyst (read-only analytics)
├── Summary, Usage, Search Insights, User Analytics
├── Query History (view + export)
├── Settings (read + write LLM settings)
└── Debug search
editor (content authoring)
├── Knowledge Base management
├── Pricing Database management
├── Product Specs management
├── Document improvement (LLM rewrite)
└── Re-index documentsAdmin Page Permissions
The admin panel shows or hides sidebar items based on the logged-in user's role. Section labels are hidden when all items within them are inaccessible.
| Section | Page | Super | Manager | Analyst | Editor |
|---|---|---|---|---|---|
| — | Welcome / Home | Yes | Yes | Yes | Yes |
| Content | Knowledge Base | Yes | Yes | No | Yes |
| Pricing Database | Yes | Yes | No | Yes | |
| Product Specifications | Yes | Yes | No | Yes | |
| Analytics | Summary Dashboard | Yes | Yes | Yes | No |
| LLM Usage Metrics | Yes | Yes | Yes | No | |
| Search Insights | Yes | Yes | Yes | No | |
| User Analytics | Yes | Yes | Yes | No | |
| Query History | Yes | Yes | Yes | No | |
| Management | User Management | Yes | No | No | No |
| Settings | Yes | Yes | Yes | No | |
| Debug Search | Yes | Yes | Yes | No | |
| Activity Log | Yes | No | No | No | |
| Schema Editor | Yes | No (read only) | No | No | |
| VectorDB Viewer | Yes | No | No | No | |
API Endpoint Permissions
Backend routes use FastAPI dependency injection for access control. Three guard types exist:
| Guard | Description |
|---|---|
get_current_user | Any authenticated user (extracts JWT, fetches user from DB) |
require_superadmin | Must be superadmin role |
require_role(roles) | Factory — returns a dependency that checks user is in allowed roles list |
Core Admin Endpoints
| Endpoint | Method | Super | Manager | Analyst | Editor |
|---|---|---|---|---|---|
/login | POST | Yes | Yes | Yes | Yes |
/me | GET | Yes | Yes | Yes | Yes |
/users | GET | Yes | No | No | No |
/users | POST | Yes | No | No | No |
/users/{id} | GET | Yes all | self only | self only | self only |
/users/{id} | PUT | Yes all | self only¹ | self only¹ | self only¹ |
/users/{id} | DELETE | Yes | No | No | No |
¹ Non-superadmin users cannot change their own role field — it is silently stripped from the update payload.
Analytics & Settings Endpoints
| Endpoint | Method | Super | Manager | Analyst | Editor |
|---|---|---|---|---|---|
/admin/summary | GET | Yes | Yes | Yes | No |
/admin/usage | GET | Yes | Yes | Yes | No |
/admin/search-insights | GET | Yes | Yes | Yes | No |
/admin/user-analytics | GET | Yes | Yes | Yes | No |
/admin/query-history | GET | Yes | Yes | Yes | No |
/admin/settings | GET / PUT | Yes | Yes | Yes | No |
/admin/debug-search | POST | Yes | Yes | Yes | No |
Content Management Endpoints
| Endpoint | Method | Super | Manager | Analyst | Editor |
|---|---|---|---|---|---|
/admin/documents/* | POST | Yes | Yes | No | Yes |
/admin/reindex | POST | Yes | Yes | No | Yes |
/admin/pricing/* | CRUD | Yes | Yes | No | Yes |
/admin/product-specs/* | CRUD | Yes | Yes | No | Yes |
Superadmin-Only Endpoints
| Endpoint | Method | Super | Others |
|---|---|---|---|
/activity-log | GET | Yes | No |
/{entity}/schema (POST/PUT/DELETE) | Mutation | Yes | No |
/{entity}/schema/rebuild | POST | Yes | No |
/{entity}/schema/fields/{name}/rename | POST | Yes | No |
/vectordb/info | GET | Yes | No |
/vectordb/records | GET | Yes | No |
/vectordb/sources | GET | Yes | No |
Schema Access by Role
Schema endpoints have a split permission model — read vs. write:
| Operation | Roles Allowed |
|---|---|
| View schema, history, diff, rebuild-status | superadmin manager |
| Add / Edit / Rename / Remove fields | superadmin only |
| Trigger schema rebuild | superadmin only |
Public API (No Roles)
Public API routes under /api/ use a static API key check
via the X-API-Key header. There is no role-based access — any valid API key
grants full access to the consumer-facing endpoints.
If API_KEY is not set in the backend configuration, all public API
access is allowed without a key.
Authentication Details
| Setting | Value |
|---|---|
| JWT Algorithm | HS256 |
| Token Expiry | 8 hours (configurable via JWT_EXPIRATION_HOURS) |
| Password Hashing | bcrypt (72-byte limit) |
| Token Storage | localStorage as admin_token |
| User Storage | localStorage as admin_user |
| Auto-logout | On HTTP 401 response from any API call |
| Default role on creation | editor |
Any authenticated user can view and update their own profile, but cannot change their own role. The role field is silently stripped from update payloads for non-superadmin users.