RBAC & Permissions

Four-tier role hierarchy across platform admin and fund-scoped access.

Roles

🔒 Super Admin — Platform owner

Panel: /admin · Scope: All pools, all funds, all settings
Auth: Email + Password (backend-only creation, 1 account per platform)
Exclusive powers: invite/remove Admins, platform config, signing method defaults

👑 Admin — Full platform control

Panel: /admin · Scope: All pools, all funds
Auth: Google OAuth (invited by Super Admin)
Can do: create/delete pools, approve redemptions (final), pool pause, invite Operators/FMs, notifications

⚙️ Operator — Day-to-day operations

Panel: /admin · Scope: All pools (page-level permissions, granted by Super Admin or Admin)
Auth: Google OAuth (invited by Super Admin or Admin)
Can do: process deposits, record yield, edit pool details, propose redemptions (not approve), audit log

📁 Fund Manager — Fund-scoped operations

Panel: /fund-admin · Scope: Own fund(s) only
Auth: Google OAuth (invited by Admin)
Can do: approve/reject deposits (own fund), issue LP (FUND_ISSUED), configure yield, manage fund members

⚙️ Operator Page-Level Permissions

Operator permissions are page-level, controlled via admin_user_permissions table. Available page_keys: 'dashboard', 'deposits', 'redemptions', 'yield', 'pools', 'kyc', 'funds'. Super Admins and Admins have full access (no permission records needed). Fund Managers see only their assigned fund's pools and related data.

Permission Matrix

Platform & Settings

Action	🔒 Super Admin	👑 Admin	⚙️ Operator	📁 Fund Mgr
View admin dashboard	✓	✓	✓	—
View audit log	✓	✓	✓	—
Configure platform settings	✓	—	—	—
Configure notifications	✓	✓	—	—
Invite / remove Admin	✓	—	—	—
Invite / remove Operator	✓	✓	—	—
Invite / remove Fund Manager	✓	✓	—	—
Export CSV (all data)	✓	✓	✓	—

Pool Management

Action	🔒 Super Admin	👑 Admin	⚙️ Operator	📁 Fund Mgr
Create pool	✓	✓	—	—
Edit pool config	✓	✓	✓ (granted)	—
Deploy pool	✓	✓	—	—
Delete / Archive pool	✓	✓	—	—
Pause / unpause	✓	✓	—	—
Toggle investment_blocked	✓	✓	—	—
Transfer to wallet (AS_POOL)	✓	✓	—	—
Set signing method	✓	✓	—	—
View NAV & oracle status	✓	✓	✓	Own fund

Fund Management

Action	🔒 Super Admin	👑 Admin	⚙️ Operator	📁 Fund Mgr
Create fund	✓	✓	—	—
Edit fund details	✓	✓	✓	—
Delete fund	✓	✓	—	—
Set fund status	✓	✓	—	—
Add/remove fund members	✓	✓	—	✓ (own fund)
View fund dashboard	✓	✓	✓	Own fund
Export fund CSV	✓	✓	✓	Own fund

Deposits & LP

Action	🔒 Super Admin	👑 Admin	⚙️ Operator	📁 Fund Mgr
View investment queue	✓	✓	✓	—
Verify LP (FUND_ISSUED)	✓	✓	✓	—
Process deposits, manage reserve splits	✓	✓	✓	—
Mint LP tokens (PLATFORM_ISSUED)	✓	✓	✓	—

Redemptions

Action	🔒 Super Admin	👑 Admin	⚙️ Operator	📁 Fund Mgr
View redemption queue	✓	✓	✓	Own fund
Approve redemption (reserve check + payout)	✓	✓	—	—
Fund redemption shortfall	✓	✓	—	—
Reject redemption	✓	✓	—	—
Co-sign transfer (multi-sig, AS_POOL)	✓	✓	✓ (with role)	—
Co-sign transfer (multi-sig, FUND_POOL)	—	—	—	✓ (FM + FM)

Yield & Distribution

Action	🔒 Super Admin	👑 Admin	⚙️ Operator	📁 Fund Mgr
Record yield distribution	✓	✓	✓ (granted)	Own fund
Retry failed distribution	✓	✓	✓ (granted)	—
View yield claims	✓	✓	✓	Own fund
Configure yield settings	✓	✓	✓ (granted)	Own fund
Toggle allow_rollover	✓	✓	—	—

Auth & Route Protection

🔐 Authentication

Super Admin: Email + password login. Account created via backend only (DB seed or internal API). Password change via backend only. 1 account per platform.

Admin / Operator / Fund Manager: Google OAuth (email matched against admin_users.email). Invited via email with invite_code. On first login, Google OAuth account is linked.

wallet_address is optional for all roles — used only for on-chain operations, not for authentication. Role check on route load via GET /api/auth/role. 30-minute session timeout.

🗄 Database Tables

admin_users — All roles (email, role, auth_method, password_hash, is_active)

auth_method: 'PASSWORD' (Super Admin) or 'GOOGLE_OAUTH' (others)
password_hash: bcrypt hash, Super Admin only

admin_user_permissions — Operator page-level permissions

fund_members — Fund Manager roles (fund_id, admin_user_id scope, is_primary)

Admin Invite Flow

① Super Admin invites Admin 🔒 Super Admin

Settings → Admin Users → "Invite Admin" → enter email. System generates invite_code and sends email.

② Invited user clicks link → Google OAuth 🔴 Admin

Email contains invite link with invite_code. User clicks → Google OAuth sign-up → account linked with role = ADMIN, auth_method = GOOGLE_OAUTH.

Operator Invite Flow

① Super Admin or Admin invites Operator 🔴 Admin

Settings → Admin Users → "Invite Operator" → enter email. Same invite flow as Admin.

② Operator account created 🟢 System

Account created with role = OPERATOR. Admin grants page-level permissions via admin_user_permissions.

FM Onboarding Flow

① Admin creates Fund 🔴 Admin

Navigate to Funds page → "Create Fund" → enter fund name, description, primary contact info.

② Admin enters FM email 🔴 Admin

System sends invite email with invite_code to FM's email address.

③ FM clicks invite → Google OAuth 🟣 FM

FM signs up with Google OAuth (email must match invite). Account created with role = FUND_MANAGER.

④ FM auto-linked to fund 🟢 System

FM linked to fund via fund_members table. FM can belong to ONE fund only. No separate KYC. Same Google OAuth as Admin/Operator.

📖 RBAC Definition

Role-Based Access Control — access determined by assigned role, not individual permissions. Aset uses a four-tier model: Super Admin (platform owner, password auth), Admin (full control), Operator (page-level permissions), Fund Manager (fund-scoped). Super Admin uses email + password; all others use Google OAuth.

RBAC & Permissions ​

Roles ​

🔒 Super Admin — Platform owner ​

👑 Admin — Full platform control ​

⚙️ Operator — Day-to-day operations ​

📁 Fund Manager — Fund-scoped operations ​

Permission Matrix ​

Platform & Settings ​

Pool Management ​

Fund Management ​

Deposits & LP ​

Redemptions ​

Yield & Distribution ​

Auth & Route Protection ​

Admin Invite Flow ​

Operator Invite Flow ​

FM Onboarding Flow ​