NearNode uses a four-tier RBAC model. Every workspace member has exactly one role. Permissions are enforced at both the UI and API level — there is no client-side-only access control.
Role Hierarchy
Owner → Admin → Editor → Viewer
▲ ▲ ▲ ▲
│ │ │ │
Full Manage Modify Read
Control Resources Content Only
Permission Matrix
| Action | Owner | Admin | Editor | Viewer |
|---|
| Nodes | | | | |
| View nodes | ✓ | ✓ | ✓ | ✓ |
| Create nodes | ✓ | ✓ | ✓ | — |
| Edit node payloads | ✓ | ✓ | ✓ | — |
| Delete nodes | ✓ | ✓ | — | — |
| Kill switch (deactivate) | ✓ | ✓ | — | — |
| Routing Rules | | | | |
| View rules | ✓ | ✓ | ✓ | ✓ |
| Create / edit rules | ✓ | ✓ | ✓ | — |
| Delete rules | ✓ | ✓ | — | — |
| Fleet | | | | |
| View batches | ✓ | ✓ | ✓ | ✓ |
| Create batches | ✓ | ✓ | — | — |
| Generate / deploy batches | ✓ | ✓ | — | — |
| Download manifest | ✓ | ✓ | ✓ | ✓ |
| Templates | | | | |
| View templates | ✓ | ✓ | ✓ | ✓ |
| Create / edit templates | ✓ | ✓ | — | — |
| Delete templates | ✓ | ✓ | — | — |
| Analytics | | | | |
| View analytics | ✓ | ✓ | ✓ | ✓ |
| Export analytics | ✓ | ✓ | ✓ | — |
| NFC Writer | | | | |
| Write to hardware | ✓ | ✓ | ✓ | — |
| Lock tags | ✓ | ✓ | — | — |
| View write logs | ✓ | ✓ | ✓ | ✓ |
| Alerts | | | | |
| View alert rules | ✓ | ✓ | ✓ | ✓ |
| Create / edit alerts | ✓ | ✓ | — | — |
| Delete alerts | ✓ | ✓ | — | — |
| Settings | | | | |
| Manage members | ✓ | ✓ | — | — |
| Manage webhooks | ✓ | ✓ | — | — |
| Manage API keys | ✓ | ✓ | — | — |
| Manage custom domains | ✓ | ✓ | — | — |
| Manage billing | ✓ | — | — | — |
| Transfer ownership | ✓ | — | — | — |
| Delete workspace | ✓ | — | — | — |
Role Descriptions
Owner
Full control over the workspace. Can manage billing, transfer ownership, and delete the workspace. There is exactly one Owner per workspace.
Admin
Full CRUD access to all resources. Can manage team members (invite, change roles, remove) except the Owner. Cannot manage billing or delete the workspace.
Editor
Can create and modify nodes, routing rules, and write NFC tags. Cannot delete nodes, manage batches/templates, or access workspace settings. Ideal for field operators and content managers.
Viewer
Read-only access to all resources. Can view nodes, analytics, write logs, and batches but cannot modify anything. Ideal for stakeholders, clients, and auditors.
Changing a Member’s Role
Open Members
Navigate to Settings → Members.
Select Role
Click the role badge next to the member’s name. Select the new role from the dropdown.
Confirm
Role changes take effect immediately. The member’s active sessions are updated without requiring re-login.
Admins can change the roles of Editors and Viewers, but cannot promote themselves to Owner or demote another Admin. Only the Owner can manage Admin-level role changes.
API Enforcement
RBAC is enforced server-side on every API request. An API key inherits the permissions of the user who created it. If a key’s creator is later downgraded to Viewer, the key can only perform read operations.
# This will return 403 if the key's creator is a Viewer
curl -X DELETE https://nearnode.io/api/v1/nodes/r5v5z7t2 \
-H "Authorization: Bearer sk_live_..."
# Response:
# { "data": null, "error": "Insufficient permissions. Required: nodes:delete" }
Use scoped API keys to further restrict access beyond role-level permissions. A scoped key can never exceed its creator’s role permissions. 
