Arcadium

Appearance

Roles & Permissions

Arcadium uses a two-tier Role-Based Access Control (RBAC) system for fine-grained access management.

Two-Tier RBAC

Arcadium separates permissions into two levels:

User Account
└── System Role (global)
    └── Cluster Memberships
        └── Cluster Role (per-cluster)

System Roles (Global)

Apply across the entire Arcadium platform:

RoleDescriptionUse Case
ADMINPlatform administratorPlatform owners/operators
USERStandard userCommunity owners, server hosts

System vs Cluster

System roles are rare - most users are USER with varying cluster permissions.

Cluster Roles (Per-Cluster)

Apply within a specific cluster:

RoleDescriptionPermissions
OWNERCluster ownerFull control, billing, delete cluster
ADMINAdministratorManage all resources, invite members
MODERATORModeratorManage players, view servers
VIEWERRead-onlyView servers and players only

Permission Hierarchy 

OWNER (full access)
├── ADMIN (all except billing/delete)
│   ├── MODERATOR (players + limited servers)
│   │   └── VIEWER (read-only)

Each role inherits permissions from roles below it.

Cluster Role Permissions

OWNER

Full cluster control:

  • ✅ All ADMIN permissions
  • ✅ Manage billing and subscriptions
  • ✅ Delete cluster
  • ✅ Transfer ownership
  • ✅ View audit logs
  • ✅ Configure payment integrations

Restrictions:

  • Cannot be removed (must transfer ownership first)
  • Only one owner per cluster

ADMIN

Resource management:

  • ✅ Add/remove machines
  • ✅ Create/delete servers
  • ✅ Manage tasks and automation
  • ✅ Configure shop and ranks
  • ✅ Invite/remove members (except OWNER)
  • ✅ Manage all player actions
  • ✅ Access RCON console
  • ✅ File management (SFTP)
  • ✅ View metrics and logs

Restrictions:

  • ❌ Cannot delete cluster
  • ❌ Cannot manage billing
  • ❌ Cannot change owner role

MODERATOR

Player management:

  • ✅ View all servers and players
  • ✅ Kick/ban players
  • ✅ Send RCON messages
  • ✅ View player profiles
  • ✅ Add player notes/flags
  • ✅ View metrics (read-only)

Restrictions:

  • ❌ Cannot create/delete servers
  • ❌ Cannot modify server settings
  • ❌ Cannot access SFTP
  • ❌ Cannot manage tasks
  • ❌ Cannot invite members

VIEWER

Read-only access:

  • ✅ View servers and status
  • ✅ View player list
  • ✅ View metrics and dashboards
  • ✅ View public logs

Restrictions:

  • ❌ Cannot modify anything
  • ❌ Cannot execute RCON commands
  • ❌ Cannot kick/ban players

Inviting Team Members

Invitation Flow

  1. OWNER/ADMIN invites via email
  2. Email contains invitation link
  3. Invitee accepts (must have Arcadium account)
  4. Role assigned automatically

Steps in Dashboard 

1. Navigate to Cluster Settings → Team
2. Click "Invite Member"
3. Enter email address
4. Select role (ADMIN/MODERATOR/VIEWER)
5. Add optional message
6. Send invitation

Invitation Expiry

  • Invitations expire after 7 days
  • Can be resent if expired
  • Can be revoked before acceptance

Managing Members

Changing Roles

OWNER/ADMIN can:

  • Promote VIEWER → MODERATOR → ADMIN
  • Demote ADMIN → MODERATOR → VIEWER
  • Cannot change OWNER role

Removing Members

OWNER can remove:

  • Any member (ADMIN, MODERATOR, VIEWER)

ADMIN can remove:

  • MODERATOR, VIEWER
  • Cannot remove OWNER or other ADMINs

Transferring Ownership

Only OWNER can transfer:

  1. Select new owner (must be existing member)
  2. Confirm transfer
  3. Old owner becomes ADMIN
  4. New owner receives OWNER role

Ownership Transfer

This action is irreversible. Only transfer to trusted individuals.

System Permissions (Platform-Level)

ADMIN (System)

Platform operators only:

  • ✅ View all clusters (for support)
  • ✅ Access system metrics
  • ✅ Manage platform settings
  • ✅ View/process support tickets
  • ✅ Manual billing adjustments

Reserved for Platform Staff

System ADMIN role is not for regular users - it's for the Arcadium team.

USER (System)

All regular users:

  • ✅ Create clusters (within plan limits)
  • ✅ Manage own account
  • ✅ Join clusters via invitation
  • ✅ Subscribe to plans

Permission Checks

In the Dashboard

  • UI elements are hidden if user lacks permission
  • Attempts to access restricted pages redirect to home
  • Actions are grayed out if not permitted

In the API

  • All endpoints check permissions
  • Returns 403 Forbidden if unauthorized
  • Audit log records all permission denials

Audit Logs

OWNER/ADMIN can view audit logs showing:

  • Who performed what action
  • Timestamp
  • Resource affected
  • IP address
  • Result (success/failure)

Logged Actions

  • Member invited/removed
  • Role changes
  • Server created/deleted
  • Player banned/unbanned
  • Settings modified
  • RCON commands executed

API Permissions

When using the API with tokens:

Token Scopes

API tokens inherit user's cluster role:

typescript
// Token with ADMIN role
GET /api/v1/clusters/{clusterId}/servers ✅
POST /api/v1/clusters/{clusterId}/servers ✅

// Token with VIEWER role  
GET /api/v1/clusters/{clusterId}/servers ✅
POST /api/v1/clusters/{clusterId}/servers ❌ 403

Creating API Tokens

  1. Navigate to Account Settings → API Tokens
  2. Click "Create Token"
  3. Select clusters and roles
  4. Copy token (shown once)
  5. Use in Authorization: Bearer <token> header

Token Security

  • Tokens grant same permissions as user
  • Never share tokens
  • Rotate periodically
  • Revoke if compromised

Best Practices

Role Assignment

OWNER:

  • Only for cluster creators
  • Transfer to co-owner for redundancy
  • Consider promoting trusted admin instead

ADMIN:

  • Core team members who manage infrastructure
  • Technical staff who need full access
  • Limit to 2-3 people for security

MODERATOR:

  • Community moderators
  • Support staff
  • Don't need technical access

VIEWER:

  • Stakeholders who need visibility
  • Developers working on integrations
  • Auditors

Security

Principle of Least Privilege

Grant the minimum role required. Promote when needed, not preemptively.

Regular Audits

Review team members quarterly. Remove inactive members.

Remove on Departure

Immediately remove members who leave the team. Revoke their API tokens.

Common Scenarios

Small Community (1-5 servers) 

1 OWNER - You
1 ADMIN - Co-owner/tech lead
2-3 MODERATORs - Community moderators

Medium Network (5-20 servers) 

1 OWNER - Founder
2 ADMINs - Core team
5-10 MODERATORs - Mod team per game
2 VIEWERs - Developers/partners

Large Network (20+ servers) 

1 OWNER - CEO/Founder  
3-5 ADMINs - Department leads
20+ MODERATORs - Regional mod teams
5+ VIEWERs - Analysts, partners

Troubleshooting

"Permission Denied" Error

  • Check your cluster role in Settings → Team
  • Contact cluster OWNER/ADMIN for promotion
  • Verify you're in the correct cluster

Cannot Invite Members

  • Only OWNER/ADMIN can invite
  • Check invitation quota (plan limit)
  • Verify invitee email is correct

Member Not Receiving Invitation

  • Check spam folder
  • Resend invitation (may have expired)
  • Verify they have an Arcadium account

Next Steps

Released under the MIT License.

Copyright © 2024-present Arcadium