Skip to main content

Documentation Index

Fetch the complete documentation index at: https://www.cometchat.com/docs/llms.txt

Use this file to discover all available pages before exploring further.

A Role defines a set of permissions that control what a user can do in your CometChat app. Every user is assigned exactly one role — if no role is specified during user creation, the default role is applied automatically.

Endpoints

MethodEndpointDescription
POST/rolesCreate a new role
GET/rolesList all roles
GET/roles/{role}Get a specific role
PUT/roles/{role}Update a role
DELETE/roles/{role}Delete a role

How roles work

Roles vs. Group Member Scopes

CometChat uses two layers of access control:
LayerApplies toAssigned viaPurpose
Role (RBAC)App-wideUser creation/updateControls what a user can do globally (e.g., send messages, create groups)
Scope (SBAC)Within a groupGroup membershipControls what a member can do inside a specific group
When a user joins a group, they are assigned one of three scopes:
ScopeDefault assignmentPrivileges
adminGroup creatorChange member scopes, add/kick/ban members, update/delete group, send & receive messages & calls
moderatorPromoted by an adminChange scope of participants, kick & ban participants, update group, send & receive messages & calls
participantAll other membersSend & receive messages & calls
For group operations, both RBAC and SBAC permissions must allow the action. A user’s role is checked first (app-wide), then their group scope is checked (group-level). If either denies the action, the API returns ERR_PERMISSION_DENIED. For the full list of scope-based permissions, see SBAC (Scope-Based Access Control).

Relationships

  • Users — Each User has one role. Change it via the Update User API.
  • Group Members — Each member in a Group has a scope (admin, moderator, or participant). Change it via the Update Group Member Scope API.
  • Restrict Features — Use the Restrict Features API to limit what users with a specific role can do.
  • RBAC — App-wide permissions per role. See RBAC.
  • SBAC — Group-level permissions per scope. See SBAC.

Role properties

PropertyTypeDescription
rolestringUnique identifier for the role.
namestringHuman-readable display name.
descriptionstringDescription of what this role is for.
metadataobjectJSON object for storing additional role configuration.
createdAtintegerUNIX timestamp of when the role was created.

Error handling

Error CodeDescription
ERR_ROLE_NOT_FOUNDThe specified role does not exist
ERR_ROLE_ALREADY_EXISTSA role with this name already exists
For the complete list of error codes, see Error Guide. For all system limits (role caps, ID length, metadata, etc.), see Properties and Constraints.