Skip to content
ProxRad Docs

Permission List

ProxPanel ships with 220 default permissions organised into 39 categories. Each permission gates one specific action (subscribers.create) or scope (subscribers.view_all). Permissions are stored in the permissions table and assigned to users via permission_groups and the permission_group_permissions join table.

This page lists the main permission categories, what they gate, and which user types typically receive them. Use it when designing a custom Permission Group, debugging an unexpected “Access Denied”, or auditing a reseller’s privileges.

How permissions are evaluated

Section titled “How permissions are evaluated”

The backend middleware (internal/middleware/auth.go) treats permissions as follows:

CallerBehaviour
Admin userBypass — every permission granted automatically.
Reseller with NO permission_groupBypass — full access (backward-compatible default).
Reseller WITH a permission_groupOnly the permissions in the group are granted.
Support / Collector / Read-onlySame as reseller-with-group.
Customer (subscriber) loginNone of these permissions apply — customers use a separate, simpler scope.

When a user lacks a permission, the backend returns HTTP 403 and the frontend’s <PermissionRoute> component renders an “Access Denied” page or hides the corresponding UI element.

Naming convention

Section titled “Naming convention”

Permissions follow category.action (e.g. subscribers.delete). Recurring suffixes:

SuffixMeaning
.viewRead own scope only.
.view_allRead system-wide / across all resellers.
.createAdd a new row.
.editModify own scope.
.edit_allModify any row regardless of owner.
.deleteRemove own scope.
.delete_allRemove any row.

User-type abbreviations used in the tables below: A = admin, R = reseller, S = support, C = collector, RO = read-only / partner.

dashboard (4)

Section titled “dashboard (4)”

The dashboard itself is always visible; these permissions toggle the widgets shown on it and unlock the admin-only blocks.

PermissionDescriptionTypical user types
dashboard.viewView dashboardA, R, S, C, RO
dashboard.view_adminView admin dashboard widgets (Top Resellers, System Metrics, administrative terminationes)A
dashboard.view_active_onlyFilter the dashboard subscriber counts to active onlyA, R
dashboard.statsView dashboard statistics endpoint (/dashboard/stats)A, R

subscribers (61)

Section titled “subscribers (61)”

The largest category — subscribers are the central object in ProxPanel.

Read / list

Section titled “Read / list”
PermissionDescriptionTypicalGates
subscribers.viewView subscribers (own scope)A, R, S, C, ROSubscribers page, subscriber detail
subscribers.view_allView all subscribers system-wideA, RO (partner)Bypasses reseller filter
subscribers.view_passwordView PPPoE password (GET endpoint + edit form)A, SPassword field in edit modal
subscribers.view_fupView FUP level in subscriber listA, R, SFUP column
subscribers.view_graphView live bandwidth graph for own subscribersA, R, SLive graph icon
subscribers.view_graph_allView live bandwidth graph for any subscriberA
subscribers.view_logsView per-subscriber logs (own scope)A, R, SLogs tab
subscribers.view_logs_allView per-subscriber logs (all)A
subscribers.view_archivedView soft-deleted subscribersAArchived tab

Create / edit

Section titled “Create / edit”
PermissionDescriptionTypicalGates
subscribers.createCreate subscribersA, R”Add Subscriber” button
subscribers.editEdit subscribers (own scope)A, R, SEdit form save
subscribers.edit_allEdit any subscriber regardless of ownerA
subscribers.renameRename subscriber usernameA, RRename action
subscribers.rename_allRename any subscriberA
subscribers.change_ownerReassign subscriber to a different resellerA, RChange Owner dialog
subscribers.change_owner_allReassign any subscriberA
subscribers.change_serviceChange subscriber’s service planA, RChange Service dialog
subscribers.change_service_freeChange service without chargingA
subscribers.change_expiryEdit expiry date directlyA
subscribers.change_service_moneyCharge money for service changeA, R
subscribers.change_service_money_allCharge money for any service changeA
subscribers.change_bulkBulk-change operationsAChange Bulk page

Lifecycle actions

Section titled “Lifecycle actions”
PermissionDescriptionTypicalGates
subscribers.renewRenew subscriber expiryA, R, SRenew button
subscribers.renew_allRenew any subscriberA
subscribers.add_daysAdd days to expiryA, R, SAdd Days dialog
subscribers.add_days_allAdd days to any subscriberA
subscribers.add_days_overdueAdd days when subscriber is past dueA
subscribers.add_days_overdue_allSame, system-wideA
subscribers.inactivateActivate / deactivate subscribersA, R, SInactivate toggle
subscribers.inactivate_allActivate / deactivate anyA
subscribers.disconnectDisconnect active session (CoA)A, R, SDisconnect button
subscribers.disconnect_allDisconnect any sessionA

Delete

Section titled “Delete”
PermissionDescriptionTypicalGates
subscribers.deleteDelete subscribers (own)A, RDelete button
subscribers.delete_allDelete any subscriberA
subscribers.delete_expiredDelete only expired onesA, R”Delete Expired” bulk option
subscribers.delete_all_expiredDelete any expired subscriberA
subscribers.restoreRestore archived subscribersAArchived → Restore
subscribers.allow_refundPermit refund on deletionADelete dialog
subscribers.refund_no_moneyStop connection without refundA
subscribers.refund_no_money_allSame, system-wideA

Quota / FUP / MAC

Section titled “Quota / FUP / MAC”
PermissionDescriptionTypicalGates
subscribers.reset_fupReset FUP daily countersA, R, SReset FUP button
subscribers.reset_fup_allReset FUP for any subscriberA
subscribers.refill_quotaRefill monthly quotaA, R
subscribers.refill_quota_allRefill quota for anyA
subscribers.reset_macReset MAC bindingA, R, SReset MAC button
subscribers.reset_mac_allReset MAC for anyA
subscribers.unbind_macPermanently unbind MACA
subscribers.queue_quotaUse queue-based quota countersA

Tools

Section titled “Tools”
PermissionDescriptionTypicalGates
subscribers.pingPing a subscriberA, R, SPing icon
subscribers.ping_allPing any subscriberA
subscribers.torchView live torch trafficATorch icon
subscribers.port_checkCheck subscriber’s port (WAN test)A
subscribers.wan_checkSkip / recheck WAN managementA
subscribers.bandwidth_rulesManage subscriber-level bandwidth rulesA, RBandwidth Rules section in edit

Bulk / import / export

Section titled “Bulk / import / export”
PermissionDescriptionTypicalGates
subscribers.bulk_importBulk import from CSVA, RBulk Import page
subscribers.bulk_addAdmin bulk addA
subscribers.bulk_updateBulk update fieldsA
subscribers.bulk_actionRun bulk actions (renew / disconnect / etc.)A, RBulk Action menu
subscribers.exportExport own subscribersA, RExport button
subscribers.export_allExport all subscribersA, RO
subscribers.autorechargeConfigure auto-recharge per userA, RAuto-recharge toggle

services (4)

Section titled “services (4)”
PermissionDescriptionTypicalGates
services.viewView / list servicesA, R, S, C, ROServices page
services.createCreate servicesAAdd Service button
services.editEdit servicesAService edit form
services.deleteDelete servicesAService delete button

Resellers see Services in read-only mode by default. Per-reseller pricing is configured via reseller_services (separate row per reseller × service).

nas (6)

Section titled “nas (6)”
PermissionDescriptionTypicalGates
nas.viewView / list NAS devicesA, R (read-only)NAS page
nas.createCreate NAS devicesAAdd NAS button
nas.editEdit NAS devicesANAS edit form
nas.deleteDelete NAS devicesANAS delete
nas.syncSync NAS state (pools, queues, online users)ASync icon
nas.testTest NAS connection (API + RADIUS)ATest button

sessions (4)

Section titled “sessions (4)”
PermissionDescriptionTypicalGates
sessions.viewView own subscribers’ sessionsA, R, SSessions page
sessions.view_allView all sessions system-wideA, ROBypasses reseller filter
sessions.disconnectDisconnect a sessionA, R, SDisconnect action
sessions.view_historyView session history (radacct)A, R, SHistory tab

resellers (21)

Section titled “resellers (21)”

The reseller category includes both “manage other resellers” (admin perspective) and “manage sub-resellers” (reseller perspective).

PermissionDescriptionTypicalGates
resellers.viewView own / sub-resellersA, RResellers page
resellers.view_allView all resellers system-wideA
resellers.createCreate resellers / sub-resellersA, RAdd Reseller
resellers.editEdit resellers in scopeA, REdit form
resellers.edit_allEdit any resellerA
resellers.deleteDelete own / sub-resellersA, RDelete button
resellers.change_ownerReassign reseller parentA, RChange Parent dialog
resellers.change_owner_allReassign any resellerA
resellers.add_moneyTop up reseller balanceA, RAdd Money
resellers.add_money_allTop up any resellerA
resellers.withdrawWithdraw from reseller balanceA, RWithdraw
resellers.withdraw_allWithdraw from any resellerA
resellers.view_subresellersSee the sub-resellers treeA, RTree view
resellers.view_balanceView reseller balanceA, R, CBalance column
resellers.set_creditSet reseller credit limitACredit dialog
resellers.add_supportAdd / edit / list support usersA, RUsers → Support
resellers.add_collectorAdd / edit / list collector usersA, RUsers → Collectors
resellers.notificationSend notifications via user portalA, RPush Notification button
resellers.recharge_codeRecharge via voucher code API (own)A, RAPI endpoint
resellers.recharge_code_allRecharge any subscriber via voucherA
resellers.billing_addBilling-side reseller addA

invoices (7)

Section titled “invoices (7)”
PermissionDescriptionTypicalGates
invoices.viewView invoicesA, R, CInvoices page
invoices.createCreate invoicesA, RAdd Invoice
invoices.editEdit invoicesA, RInvoice edit
invoices.deleteDelete invoicesADelete button
invoices.printPrint invoices (PDF)A, R, CPrint button
invoices.emailEmail invoices to subscriberA, REmail button
invoices.mark_paidMark invoice as paid manuallyA, R, CMark Paid

prepaid (10)

Section titled “prepaid (10)”
PermissionDescriptionTypicalGates
prepaid.viewView / list prepaid cardsA, RPrepaid Cards page
prepaid.createGenerate prepaid cardsA, RGenerate button
prepaid.editUse / edit prepaid cardsA, RCard edit
prepaid.generateGenerate cards for own subscribersA, RPer-subscriber generate
prepaid.generate_allGenerate for any subscriberA
prepaid.deleteDelete prepaid cardsA, RDelete
prepaid.disableDisable cards without deletingA, RDisable toggle
prepaid.printPrint prepaid cardsA, RPrint
prepaid.exportExport prepaid cards (CSV)A, RExport
prepaid.hide_codeHide card codes from operator viewA

reports (8)

Section titled “reports (8)”
PermissionDescriptionTypicalGates
reports.viewView reports landing pageA, R, ROReports page
reports.generate_allGenerate every kind of reportA
reports.subscribersSubscriber reportsA, RSubscribers report
reports.revenueRevenue reportsA, RRevenue report
reports.servicesPer-service reportsA, RServices report
reports.usageUsage reportsA, RUsage report
reports.resellersPer-reseller reportsAResellers report
reports.exportExport any reportA, RExport button

transactions (4)

Section titled “transactions (4)”
PermissionDescriptionTypicalGates
transactions.viewView own transactionsA, R, CTransactions page
transactions.view_allView all transactionsA, ROBypasses reseller filter
transactions.createCreate transactions manuallyA
transactions.deleteDelete transactionsADelete

tickets (7)

Section titled “tickets (7)”
PermissionDescriptionTypicalGates
tickets.viewView ticketsA, R, STickets page
tickets.createCreate ticketsA, R, SNew Ticket
tickets.editEdit ticketsA, R, SEdit
tickets.deleteDelete ticketsADelete
tickets.replyReply to ticketsA, R, SReply box
tickets.assignAssign tickets to operatorsAAssign dropdown
tickets.closeClose ticketsA, R, SClose button

backups (6)

Section titled “backups (6)”
PermissionDescriptionTypicalGates
backups.viewView backups listABackups page
backups.createCreate a backupA”Backup Now”
backups.editEdit backup schedulesASchedule edit
backups.restoreRestore from a backupARestore button
backups.deleteDelete backupsADelete
backups.downloadDownload backup fileADownload

settings (3)

Section titled “settings (3)”
PermissionDescriptionTypicalGates
settings.viewView settingsASettings page
settings.editEdit settingsASave button
settings.wan_checkManage WAN management check settingsAWAN Check tab

audit / logs (2)

Section titled “audit / logs (2)”
PermissionDescriptionTypicalGates
audit.viewView audit logsA, ROAudit Logs page
logs.viewView system logs (errors, RADIUS)ALogs page

users (4)

Section titled “users (4)”

The “users” table holds admin / reseller / support / collector accounts, distinct from subscribers.

PermissionDescriptionTypicalGates
users.viewView / list usersAUsers page
users.createCreate usersAAdd User
users.editEdit usersAEdit
users.deleteDelete usersADelete

communication (4)

Section titled “communication (4)”
PermissionDescriptionTypicalGates
communication.viewView communication rulesACommunication Rules page
communication.createCreate rulesAAdd Rule
communication.editEdit rulesAEdit
communication.deleteDelete rulesADelete

bandwidth (4)

Section titled “bandwidth (4)”
PermissionDescriptionTypicalGates
bandwidth.viewView bandwidth rulesABandwidth Rules page
bandwidth.createCreate rulesAAdd Rule
bandwidth.editEdit rulesAEdit
bandwidth.deleteDelete rulesADelete

fup (2)

Section titled “fup (2)”
PermissionDescriptionTypicalGates
fup.viewView FUP countersA, RFUP Counters page
fup.resetReset FUP countersA, RReset button

sharing (3)

Section titled “sharing (3)”
PermissionDescriptionTypicalGates
sharing.viewView sharing detection resultsASharing Detection page
sharing.scanRun a manual scanAScan Now button
sharing.settingsEdit sharing detection settingsASettings tab

cdn (4)

Section titled “cdn (4)”
PermissionDescriptionTypicalGates
cdn.viewView CDN entriesACDN page
cdn.createCreate CDN entriesAAdd CDN
cdn.editEdit CDN entriesAEdit
cdn.deleteDelete CDN entriesADelete

permissions (4)

Section titled “permissions (4)”
PermissionDescriptionTypicalGates
permissions.viewView permission groupsAPermission Groups page
permissions.createCreate permission groupsAAdd Group
permissions.editEdit permission groupsAEdit
permissions.deleteDelete permission groupsADelete

customers (1)

Section titled “customers (1)”
PermissionDescriptionTypicalGates
customers.self_change_planAllow reseller to enable customer self-service plan changeA, RCustomer Portal toggle

Common preset groups

Section titled “Common preset groups”

ProxPanel doesn’t ship preset groups out of the box — admins create them per deployment. The pattern recurring across customers:

Sales (creates subscribers, can’t delete or settings)

Section titled “Sales (creates subscribers, can’t delete or settings)”
subscribers.view, subscribers.create, subscribers.edit, subscribers.renew,
subscribers.add_days, subscribers.change_service, subscribers.reset_mac,
subscribers.reset_fup, subscribers.disconnect, subscribers.ping,
services.view, sessions.view, sessions.view_history,
invoices.view, invoices.create, invoices.print, invoices.mark_paid,
prepaid.view, prepaid.generate,
transactions.view, tickets.view, tickets.reply

Support (read + troubleshoot, can’t bill)

Section titled “Support (read + troubleshoot, can’t bill)”
subscribers.view, subscribers.view_password, subscribers.view_graph,
subscribers.view_logs, subscribers.edit, subscribers.reset_mac,
subscribers.reset_fup, subscribers.disconnect, subscribers.ping,
subscribers.bandwidth_rules,
services.view, sessions.view, sessions.disconnect, sessions.view_history,
tickets.view, tickets.create, tickets.reply, tickets.close,
audit.view

Collector (cash in, nothing else)

Section titled “Collector (cash in, nothing else)”
subscribers.view, subscribers.ping,
invoices.view, invoices.print, invoices.email, invoices.mark_paid,
transactions.view,
resellers.view_balance

Read-only partner / accountant

Section titled “Read-only partner / accountant”
*.view, *.view_all, reports.*, audit.view

Schema reference

Section titled “Schema reference”
CREATE TABLE permissions (
    id SERIAL PRIMARY KEY,
    name VARCHAR(100) NOT NULL UNIQUE,
    description VARCHAR(255),
    created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP
);


CREATE TABLE permission_groups (
    id SERIAL PRIMARY KEY,
    name VARCHAR(100) NOT NULL UNIQUE,
    description VARCHAR(255),
    created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
    updated_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP
);


CREATE TABLE permission_group_permissions (
    permission_group_id INTEGER REFERENCES permission_groups(id) ON DELETE CASCADE,
    permission_id INTEGER REFERENCES permissions(id) ON DELETE CASCADE,
    PRIMARY KEY (permission_group_id, permission_id)
);

Permissions are seeded at install time from INSERT ... ON CONFLICT (name) DO NOTHING statements in schema.sql. Adding a new permission requires the INSERT line plus a backend handler that calls RequirePermission("category.action").

Section titled “Related pages”
  • Users — assign users to permission groups.
  • Permission Groups — create / edit groups via the UI.
  • Resellers — per-reseller permission assignment.
  • Audit Logs — see who exercised which permission and when.