Builder Suggestions: Discord Access Control
When I first made a Discord server, I was very concerned with how I would be able to limit the usage of certain permissions, specifically when getting members to moderate the community for me. At the time, permissions were very new and people were just discovering how to use them. Therefore I decided to study how the permissions work and what I can limit with them. This resulted in me humorously locking myself out of my own server a few times because that was possible back in the day (not anymore, thankfully).
After many years of just messing with Discord settings to see what I can achieve, I finally concluded that Discord’s permissions system is not perfect and suffers from some rather annoying flaws. Knowing this helped me find the best way to do Access Control in my servers, which is what I will be covering in this article.
What is Access Control within Discord?
Access Control is the selective restriction of access to a place or other resource. — Wikipedia
Within Discord, it is limiting the usage of certain options and channels via permissions. This is not limited to just permissions as a role without any permissions on the server level can still act to enforce Access Control. Furthermore, using Discord bots can help to control what your members can use by limiting certain actions behind having a specific role. These are the two types of Access Control that I will cover along with the pros and cons of using them. I will also explain my recommendations on the best setup and bots to use.
Note: To make effective use of the information provided in this article I recommend having knowledge of how roles and permissions work. Our Understanding Discord articles are a great place to start.
Access Control using Discord’s Permissions
With great power comes great responsibility. Permissions are great because they are accessible and assignable to roles through Discord’s UI under the “Roles” server menu. However, we are restricted to what Discord has tied to their permissions and that can sometimes lead to unintended side-effects.
For instance, I did not realize the implications of giving the Manage Messages permission at the server level when I first started learning about permissions. I quickly realized my mistake when one of my moderators accidentally deleted my rules message in my info channel. I was quite upset at the situation, but only had myself to blame for the mistake. I immediately revoked the permission on the server level, and then set Manage Messages for my moderator role on the channels I wanted them to manage. Overtime, I have determined which permissions to give and where to give them.
Making use of Discord’s permissions is done by setting setting them on roles in such a way as to give or remove access to specific options or parts of the server. I will first cover the pros and cons of this method and then follow up with my recommended settings.
- Managing channels and messages can be controlled on multiple levels.
- Does not require any Discord Bots to achieve the desired outcome.
- Usually only requires a one-time setup.
- Requires very few roles to achieve desired outcome.
- Almost all moderation bots support permissions.
- Does not give much control for server managing permissions, kick or ban.
- Many permissions give access to multiple options. (e.g. Move Members permission giving access to disconnect a user from a voice channel)
- Requires knowledge of each Discord permission and all the actions they allow, sometimes not explicitly said in the UI. (e.g. Kick Members allows Pruning)
- Very reliant on Role Hierarchy and Permission Levels to work effectively.
As you can see, using permissions on roles is both powerful and flawed at the same time. It only works well for specific permissions and is deceptively complicated to function the way you want it to without any unintended side effects. Even with its faults, you will need permissions when giving members any sort of management rights.
My Recommendations for Access Control using Permissions
Before jumping into my setup, I recommend you use a test server with extra Discord accounts to test it. Never edit permissions on a Discord server without being sure of what you want to do. In my explanations, I will be referring to three types of roles to describe where I set something. These types are:
- Administrative: roles that perform all the same actions as the server owner without having the Administrator permission.
- Management: roles that manage specific aspects of the server but not as much as Administrators would.
- Moderation: roles that manage members directly through moderation actions.
The biggest part of why you would need PBAC is the Management permissions. Specifically Manage Server, Manage Roles, Manage Channels, Manage Nicknames, Manage Emojis, Manage Webhooks, and Manage Messages. These permissions are usually set via Server, Category, or Channel settings as not many Discord bots out there offer alternative methods to manage them.
- Manage Server — This can only be set on the server level. I recommend not giving it to any roles that will not be managing the server settings directly. This permission will allow members to add bots to the server. I usually give this to Administrative roles.
- Manage Roles — This can only be set on the server level. This permission is dependent on Role Hierarchy, roles may only assign roles below them in the server’s settings. I usually limit this permission to Management roles or higher depending on what I need the members in the role to do. Most of the time no one in my community will have this permission, because I automate a large amount of my role related functions using bots.
- Manage Channels — I recommend to set this permission by channel or category, as it allows members in the role to edit, move, or delete channels and categories. Do not set this for channels that are extremely important such as a Rules and Information channel. I usually limit this to Management roles or higher depending on what the members in the role need to do in my server.
- Manage Nicknames — This can only be set on the server level and is dependent on Role Hierarchy. I recommend giving this to Moderation roles or higher. This is one of the less used permissions as generally a moderator will directly contact members with incorrect usernames or nicknames. There are also public bots that automatically rename members in your server when it contains certain words or symbols.
- Manage Emojis — This can only set on server level. I almost never give this permission to anyone as I prefer having control over my server emojis; but if I do give it to a role, it will be an Administrative one.
- Manage Webhooks — This is a permission that can be quite dangerous if not managed correctly as it gives access to sending automated messages into a channel using external means (such as a webhook creation site similar to Dishook)For that reason, it should only be given on the channels where webhooks are meant to be sent. Furthermore, I recommend giving this permission only to Administrative roles.
- Manage Messages — This is a very important permission as it allows anyone with it to delete or pin messages of other members, but that also makes it a very dangerous. I always recommend this permission to be set at the channel or category level to avoid accidental deletion of anything important. This is a moderation tool and as such can be given to Moderation roles or higher.
All other permissions I set by what is needed at the time, but I prefer using bots for permissions related to kicking, banning, and muting users. I rarely give these permissions to any roles unless they are Administrative, and only to have a backup for when a bot I am using is suffering some downtime. Permissions I give on voice channels to Moderation roles are Mute Member and Deafen Member since not all bots handle this type of moderation well. However, some of the bot I will be recommending later in this article is able to Mute, Move, and Deafen members in voice.
Access Control using Discord Bots
At the core of Access Control within Discord is Role Based Access Control (RBAC), because you need roles to give members permissions (except for in the case of user-specific overrides on channels). This means that when you use these permissions, you are using RBAC. In this section I will explain using RBAC with a Discord bot to enforce a form of Access Control.
As I spent more time using Discord and running communities, I realized that Discord permissions are not perfect which allowed me to warm up to the idea of using Discord bots. When combining RBAC with Discord bots that have support for role-based settings, you gain a powerful tool in your arsenal. It allows you to take control of what a member can do without ever giving them the permission to do so. This is also its greatest flaw as it is highly reliant on bots that support it.
Let us take a closer look at the Pros and Cons of RBAC using Discord bots:
- RBAC settings on a bot give you control on a granular level as Discord permissions do not need to be on the role.
- Roles are already a core part of a Discord server, so you need not do any more setup past making the role and moving it where you want it.
- The position of the role does not matter unless the Discord bot has its own way of enforcing the role hierarchy.
- A Discord bot that has RBAC support is required, which either means having access to a developer or using a public bot.
- Finding a Discord bot that supports complete RBAC is harder than one that simply supports specific permissions set on a role.
It’s clear that this type of RBAC requires a bot, but have no fear because I have recommendations that can help you find bots that have their own RBAC support.
My Recommendations for RBAC
I will start this off by saying that everyone has his or her preferred Discord bots and there is nothing wrong with that. I by no means recommend these bots as the best of all bots since I am aware there are other bots out there with good RBAC support. My suggestion is to try out any bot you are unfamiliar with on a test server before bringing it to your community.
First, let’s look at the bots that can help with managing your server through commands for kicking, banning, and text muting users. These bots support in-depth role settings on every single command and they are not just for moderation as they have commands for managing other parts of a Discord server as well like roles.
Dyno —This is my go-to moderation and action log bot. It has a generally easy to understand dashboard where you can change all kinds of settings and control which roles can use which commands. My only dislike is that it does not offer as many methods of managing a server as another bot in this list, but I still recommend this to anyone who is new to Discord bots.
Carl-bot —An extremely powerful all-purpose bot with many settings for fine-tuning how members use your server. Carl can replace many other bots in a server, but that is where the issues I have with it comes in. The dashboard is quite overwhelming to a new user and does not feel user-friendly; but if you are looking for the ultimate role settings, then this bot has it and more.
ProBot — A bot I only recently started using a lot, but one I can highly recommend. It offers role settings on commands just like the other bots in this list,but has one of the most user-friendly dashboards around. It is also not just a moderation and action log bot as it has a leveling system as well. The only things it does not have is custom commands and ways to manage self-assignable roles, which is something power users might need.
These bots offer their own RBAC systems to help manage who can use them and how they can be used, such as blocking commands in channels through the bot rather than Discord permissions. Moderation is not the only thing that RBAC can help with though. Let us look at two of my most favorite bots that offer these options.
Statbot —The most powerful Discord server statistics bot. It allows you to control who can see what stats, what channels and categories commands can be used in, and RBAC for each individual setting.
AmariBot — My most favorite leveling bot and possibly the easiest to use bot on this list. There is no dashboard as everything can be done by commands, but the commands are all easy to use. The way AmariBot does RBAC is by requiring a role called “AmariMod” to change any settings. Until recently, this was the only way you could change settings, but it now supports Server Owner and Administrator as well.
All these bots are great options for any community and keeps the control in your hands. They also offer many tools that can help you manage your community and make things a bit more fun for your members.
My Final Recommendation
In the end, a Discord bot cannot replace Discord permissions, but it can augment them by using roles to control access even further without giving possibly harmful permissions to a user. My biggest suggestion to anyone who asks me about Access Control is to use every tool available to you. Take the multi-layered settings of permissions for direct channel-by-channel control and combine it with the fine-tuning options available with Discord bots that support role settings. By finding the perfect setup for your community, you will have mastered securing your community.
If you liked this article and publication, please consider leaving a 👏 applaud. It will let our authors know that you found this kind of information worthwhile.
If you want to continue discussing this article and other ideas in this blog or related topics, join the Community Builders on Discord where community discussions are occurring!
Our blog is sponsored by Statbot, the premier statistics and analytics Discord bot and dashboard for your community. It is an absolute must-have for any server that is serious about its growth and well-being. When a server has Statbot in it, you know it’s aiming to be the best of its kind! Statbot tracks member count, messages, minutes spent in voice, activity, and statuses. It offers many ways to view and use this data to help grow your community, such as, automatic role assignment according to users activity in your Discord server (A.K.A. Statroles), and channel counters that allow you to display all kinds of stats about your community to others as a channel (A.K.A. Statdocks). If you run a Discord server we highly recommend getting Statbot to help track your growth and augment your community.
Have ideas for content you’d like to see on the blog? Make a suggestion!
Think you have what it takes to write for CBB? We’re hiring authors! If you are interested, please fill out this application and join the Statbot Discord server where blog operations are based. We look forward to seeing you!