default role is applied automatically.
Endpoints
How roles work
- Roles are app-wide — they apply to a user across all groups and conversations.
- You can restrict specific features per role (e.g., prevent certain roles from sending attachments or creating groups).
- For fine-grained, role-based permission control, see RBAC (Role-Based Access Control).
Roles vs. Group Member Scopes
CometChat uses two layers of access control:
When a user joins a group, they are assigned one of three scopes:
For group operations, both RBAC and SBAC permissions must allow the action. A user’s role is checked first (app-wide), then their group scope is checked (group-level). If either denies the action, the API returns
ERR_PERMISSION_DENIED.
For the full list of scope-based permissions, see SBAC (Scope-Based Access Control).
Relationships
- Users — Each User has one role. Change it via the Update User API.
- Group Members — Each member in a Group has a scope (
admin,moderator, orparticipant). Change it via the Update Group Member Scope API. - Restrict Features — Use the Restrict Features API to limit what users with a specific role can do.
- RBAC — App-wide permissions per role. See RBAC.
- SBAC — Group-level permissions per scope. See SBAC.
Role properties
Error handling
For the complete list of error codes, see Error Guide.
For all system limits (role caps, ID length, metadata, etc.), see Properties and Constraints.