Access control
Role-based access per server: owner, admin, viewer. Super-admins via env var. Every change audit-logged.
Two levels of permissions
EXMER has two permission dimensions that combine:
- Super-admin — set by
ADMIN_USER_IDSenv var. Bypasses all per-server access checks. Can see every server, manage every server, view audit logs and backups. Set at deployment time by whoever runs the EXMER install. - Per-server role — stored in the
server_accesstable. Every non-super-admin user who can touch a server must have a row here.
Per-server roles
| Role | Can do |
|---|---|
owner | Everything: edit, delete, grant/revoke access to other users, delete the server itself |
admin | Mutate settings, install OpenClaw, restart gateway, manage agents and RAG, run exec commands. Cannot delete the server or change access. |
viewer | Read-only: see status, sessions, alerts. Cannot modify anything. |
How a server gets an owner
The user who creates a server automatically becomes its owner. There is one owner per server — ownership transfer is not yet implemented; if you need it, file an issue.
Inviting users
As the owner, open the server → Access → enter the invited user's Telegram ID → pick a role (admin or viewer). The invited user must find their Telegram ID via /myid in the bot.
Revoking access
Same screen — swipe / tap to revoke. Revocation takes effect on the user's next API call (the JWT is still valid, but the server_access row is gone).
Audit log
All access changes (grant, update role, revoke) are audit-logged with user ID, target user ID, server ID, request ID, and timestamp. Super-admins can view the log at /api/admin/audit.
ADMIN_USER_IDS can see and modify every server, read credentials-protected operations, and access the audit log. Keep this list short.