Roles and Permissions
User and API key role descriptions
Layer1 uses a role-based access control system to manage permissions for users and API keys. Roles define the scope of actions available to an identity and are grouped into two scopes:
- Tenant Roles: Apply at the platform (Layer1 tenant) level
- Account Roles: Apply at the merchant account level
Each role grants access to specific capabilities within the platform.
You can only assign roles to others that you hold yourself.
Recommendations
- Assign roles based on the principle of least privilege: grant only the minimum permissions necessary to perform the tasks, reducing the attack surface and limiting potential misuse.
- Combine roles where needed for hybrid access. For example,
viewer+monitor.
Tenant roles
Tenant is the direct customer of Layer1. Tenant roles define access at the Layer1 platform (or tenant) level. These roles are designed for customers who utilise Layer1 to manage their internal treasury operations, encompassing infrastructure configuration, transaction workflows, and digital asset lifecycle management.
They are typically assigned to treasury, operations, and engineering teams who need to interact with wallets, networks, liquidity, and exchange integrations across the organisation.
Use these roles to delegate specific responsibilities while maintaining firm control over your treasury environment.
User management
| Role | Description | Use Case |
|---|---|---|
user:operator | Create and edit users | Assign to administrators managing user access and permissions |
user:viewer | View existing users | Assign to stakeholders monitoring user access without modification rights. |
Digital assets
| Role | Description | Use Case |
|---|---|---|
crypto:admin | - Manage asset pools and addresses - Consolidate assets into master addresses | Assign to users who manage digital asset infrastructure and oversee asset consolidation processes. |
crypto:operator | - Manage networks, asset pools, and,addresses - Create and view transactions - Claim stuck deposits | Assign to users who perform day-to-day blockchain operations and manage transactions |
crypto:monitor | - View networks, asset pools, addresses, and transactions - Claim stuck deposits - Approve or reject screened transactions | Assign to compliance officers or monitoring roles who oversee transaction activities |
crypto:viewer | - View networks, asset pools, addresses, and transactions - Claim stuck deposits - View screened transactions - Initiate and view exports | Assign to auditors or stakeholders requiring comprehensive visibility without modification rights |
crypto:customer:support | - View networks, asset pools, addresses, and transactions - Claim stuck deposits - View screened transactions | Assign to customer support teams assisting users with transaction-related inquiries |
crypto:config:operator | Manage digital asset node configuration. Relevant only for on-premise deployment model | Assign to technical staff responsible for configuring on-premise digital asset nodes |
crypto:config:viewer | View digital asset node configuration. Relevant only for on-premise deployment model | Assign to auditors or stakeholders without edit permissions who monitor node configurations |
crypto:liquidity:operator | - Consolidate assets into master addresses - Claim stuck deposits | Assign to users managing liquidity operations and asset consolidation processes |
Trading
| Role | Description | Use Case |
|---|---|---|
trade:liquidity:operator | Create and view deposit addresses at trading venues View venue balances Create and view venue transfers | Assign to users who manage liquidity across trading venues. |
trade:liquidity:viewer | View deposit addresses at trading venues View venue balances View venue transfers View exchange rates | Assign to stakeholders who monitor trading venue activities and exchange rates |
trade:trading:operator | View venue balances Execute conversions View conversions Enable/Disable trading symbols | Assign to traders who execute conversions, monitor trading activities and enable trading pairs for exchange venues. |
trade:trading:viewer | View venue balances View exchange rates View conversions | Assign to analysts or stakeholders to monitor trading activities without execution rights |
trade:config:operator | Configure and view trade venues | Assign to users responsible for configuring trading parameters |
trade:config:viewer | View trade venues | Assign to auditors or stakeholders to monitor trade configurations without edit permissions |
Treasury
| Role | Description | Use Case |
|---|---|---|
treasury:admin | Create and configure managed balances | Assign to users responsible for configuring thresholds for managed balances (Smart Treasury) |
Clients (API Keys)
| Role | Description | Use Case |
|---|---|---|
client:operator | Create, edit, and delete API keys | Assign to developers or integration engineers who manage API keys for various services or applications |
client:viewer | View API keys | Assign to stakeholders who need visibility into API key usage without modification rights |
secret:operator | Connect 3rd party service | Assign to developers or integration engineers who manage connecting 3rd party services (exchanges/ screening providers) |
secret:viewer | View connected 3rd party services | Assign to stakeholders who need visibility into connected 3rd party services (exchanges/ screening providers)without modification rights |
Hooks
| Role | Description | Use Case |
|---|---|---|
hook:operator | Create and view hook destinations View hook event types | Assign to developers or administrators responsible for setting up and managing webhook destinations |
hook:viewer | View hook destinations View hook event types | Assign to users or teams to provide visibility into webhook destination setup without granting editing permissions |
hook:config:operator | View and edit hook configuration. Relevant only for on-premise deployment model | Assign to developers or administrators responsible for setting up and managing webhook configurations |
hook:config:viewer | View hook configuration. Relevant only for on-premise deployment model | Assign to users or teams to provide visibility into webhook configuration setup without editing permissions |
Managing Merchants
If you leverage our white-label Merchant Payment Engine, the following roles apply to managing your merchants, which are referred to as “accounts” in the platform. These roles allow your tenant users to manage and oversee merchant setup, permissions, and charged fees.
Accounts
| Role | Description | Use case |
|---|---|---|
platform:operator | Create, edit, and view your accounts | Assign to trusted operations leads responsible for creating and maintaining merchant accounts |
platform:viewer | View your accounts | Assign to operations users to provide visibility into merchant accounts without granting modification rights |
Fees
| Role | Description | Use Case |
|---|---|---|
fee:admin | Create, edit, and delete fee types Create, edit, and delete account fees | Assign to operations users responsible for setting up and maintaining pricing or fee structures for merchants |
Account roles
If you leverage our white-label Merchant Payment Engine, the following roles apply to your Merchant users and API keys. These roles govern what users can view and manage within the Account Portal (which is distinct from the Layer1 Tenant Portal).
Each role is designed to align with specific operational needs, from viewing data to performing full transaction management. These roles help enforce the principle of least privilege, ensuring users only access what they need.
Users
| Role | Description | Use case |
|---|---|---|
user:operator | Create, edit, and delete users | Assign to team leads who need to manage their team's access and information |
user:viewer | View existing users | Assign to auditors or stakeholders to provide visibility into user data without granting modification rights |
Clients (API Keys)
| Role | Description | Use case |
|---|---|---|
client:operator | Create, edit, and delete API keys | Assign to developers or integration engineers who manage API keys for various services or applications |
client:viewer | View API keys | Assign to stakeholders to provide visibility into API key usage without granting modification rights |
Wallets
| Role | Description | Use case |
|---|---|---|
ledger:operator | Create and view account level wallets—your merchant's balances | Assign to users who handle day-to-day payments and manage transaction |
ledger:viewer | View account level wallets—your merchant's balances | Assign to auditors or stakeholders to provide visibility into wallets without granting modification rights |
Channels
| Role | Description | Use case |
|---|---|---|
channels:operator | Create, edit, soft delete, and view channels View channel payments | Assign to users who handle day-to-day payments and manage transaction management |
channels:viewer | View channels View channel payments | Assign to auditors or stakeholders to provide visibility without granting modification rights |
Payments
| Role | Description | Use case |
|---|---|---|
payment:operator | Create payment links | Assign to users who handle day-to-day payments and manage transaction |
payment:viewer | View payment | Assign to auditors or stakeholders to provide visibility into payments without granting modification rights |
Approvals
| Role | Description | Use case |
|---|---|---|
approval-settings:operator | Configure approvals settings | Assign to trusted operations or administrator leads responsible for configuring transaction approval settings |
payment:approver | Approve or reject payments | Assign to trusted leads responsible for reviewing and approving payments |
Hooks
| Role | Description | Use case |
|---|---|---|
hook:operator | Create and view hook destinations View hook event types | Assign to developers or administrators responsible for setting up and managing webhook destinations |
hook:viewer | View hook destinations View hook event types | Assign to users or teams to provide visibility into webhook destination setup without granting editing permissions |
Updated 6 days ago