Skip to main content
A Role defines a set of permissions that control what a user can do in your CometChat app. Every user is assigned exactly one role — if no role is specified during user creation, the default role is applied automatically.

Endpoints

How roles work

Roles vs. Group Member Scopes

CometChat uses two layers of access control: When a user joins a group, they are assigned one of three scopes: For group operations, both RBAC and SBAC permissions must allow the action. A user’s role is checked first (app-wide), then their group scope is checked (group-level). If either denies the action, the API returns ERR_PERMISSION_DENIED. For the full list of scope-based permissions, see SBAC (Scope-Based Access Control).

Relationships

  • Users — Each User has one role. Change it via the Update User API.
  • Group Members — Each member in a Group has a scope (admin, moderator, or participant). Change it via the Update Group Member Scope API.
  • Restrict Features — Use the Restrict Features API to limit what users with a specific role can do.
  • RBAC — App-wide permissions per role. See RBAC.
  • SBAC — Group-level permissions per scope. See SBAC.

Role properties

Error handling

For the complete list of error codes, see Error Guide. For all system limits (role caps, ID length, metadata, etc.), see Properties and Constraints.