RBAC & Roles
ClawNex includes role-based access control with 5 operator roles, 32 permissions, session governance, progressive lockout, and CSRF protection.
Public-facing installs run with RBAC enabled. Local installs may run RBAC off only for localhost-only use.
5 Roles
| Role | Access Level |
|---|---|
| Admin | Full platform access, user administration, configuration, and system operations |
| Security Manager | Security operations, shield policy, access controls, alerts, and break-glass workflows |
| Operator | Daily monitoring, investigation, shield tests, and operational response |
| Viewer | Limited read-only operational visibility based on assigned permissions |
| Auditor | Audit, evidence, compliance, and security-log review |
32 Permissions
When RBAC is enabled, protected API routes require an authenticated session and the relevant permission. Key permissions include:
| Permission | Description |
|---|---|
config:read | Read configuration settings |
config:write | Modify configuration |
shield:scan | Run shield scans |
shield:config | Manage ClawNex Shield Rules and whitelist settings |
alerts:read | View alerts |
alerts:manage | Acknowledge, investigate, and resolve alerts |
audit:read | View audit trail |
system:manage | Perform system operations |
workspace:read | View agent workspace files |
chat:use | Use the chat/proxy endpoint |
voice:use | Use voice and avatar features |
Session Management
- Timeout — configurable from 1 to 720 hours
- Concurrent limit — maximum 5 sessions per operator; oldest session is revoked when exceeded
- Password change — revokes all sessions for that operator
- My Sessions card — operators can view and revoke their own sessions
Progressive Account Lockout
| Failed Attempts | Lockout Duration |
|---|---|
| 5 | 1 minute |
| 10 | 5 minutes |
| 15 | 30 minutes |
| 20+ | Account auto-disabled until an admin re-enables it |
Lockout is per account. A successful login resets the failure counter.
Security Implementation
- SQLite sessions with SHA-256 hashed tokens
- bcryptjs password hashing with 12 rounds
- Session-bound HMAC CSRF token on state-changing requests
- Origin and Referer checks for mutation requests
- Last-admin protection: the final admin cannot be demoted, deactivated, or deleted
Enterprise Features
| Feature | Description |
|---|---|
| SSO / SAML | Federated authentication with your identity provider |
| MFA | Multi-factor authentication such as TOTP or hardware keys |
| Custom Roles | Define custom permission sets beyond the built-in roles |
| Session IP Binding | Lock sessions to the originating IP address |
| Two-Person Break-Glass | Require a second admin to approve break-glass activation |
Enterprise features are visible in the UI with an Enterprise badge.