RBAC & Roles
ClawNex includes a full role-based access control system with 5 operator roles, 28 permissions, session governance, and progressive lockout.
5 Roles
| Role | Access Level |
|---|---|
| Admin | Full platform access — manage users, configure RBAC, change all settings, perform every action |
| Security Manager | Manage shield rules, whitelist entries, alert triage, break-glass activation |
| Operator | Monitor traffic, acknowledge and investigate alerts, run shield tests |
| Viewer | Read-only access to all dashboards and reports — no configuration changes |
| Auditor | Read-only access to audit trails, compliance reports, and security logs |
28 Permissions
When RBAC is enabled, every API route requires requireSession() + requirePermission(). Key permissions:
| Permission | Description |
|---|---|
config:read | Read configuration settings |
config:write | Modify configuration (admin only) |
shield:scan | Run shield scans |
shield:manage | Manage shield rules and whitelist |
alerts:read | View alerts |
alerts:manage | Acknowledge, investigate, resolve alerts |
audit:read | View audit trail |
system:manage | System operations — install, restart, backup (admin only) |
workspace:read | View agent workspace files |
chat:use | Use the chat/proxy endpoint |
voice:use | Use voice and avatar features |
Session Management
- Timeout — configurable from 1 to 720 hours
- Concurrent limit — maximum 5 sessions per operator; oldest revoked when exceeded
- Password change — revokes all sessions for that operator
- My Sessions card — operators can view and revoke their own sessions
Progressive Account Lockout
| Failed Attempts | Lockout Duration |
|---|---|
| 5 | 1 minute |
| 10 | 5 minutes |
| 15 | 30 minutes |
| 20+ | Account auto-disabled (requires admin re-enable) |
Lockout is per-account, not per-IP. A successful login resets the failure counter.
Security Implementation
- SQLite sessions with SHA-256 hashed tokens
- bcryptjs password hashing (12 rounds)
- CSRF double-submit cookie on all mutations
- Last-admin protection — cannot demote, deactivate, or delete the last admin
Enterprise Features
| Feature | Description |
|---|---|
| SSO / SAML | Federated authentication with your identity provider |
| MFA | Multi-factor authentication (TOTP, hardware key) |
| Custom Roles | Define custom permission sets beyond the 5 built-in roles |
| Session IP Binding | Lock sessions to the originating IP address |
| Two-Person Break-Glass | Require a second admin to approve break-glass activation |
Enterprise features are visible in the UI with an “Enterprise” badge.