User Roles

User roles are a collection of permissions that can be assigned to individual users using the symflow CLI.


The three user roles available at Sym are:

  • admin
  • member
  • guest

To check your role from Slack, run /sym whoami:

User creation defaults

  • Users in your primary domain, or whose email domains have been added via symflow will be created with member roles.
  • Users in your Slack Workspace who do not share your primary domain and whose email domains have not been added via symflow will be created with guest roles
  • Users must be explicitly granted admin privileges by other Admins


For more information about Roles and Domains, see Working With Multiple User Domains

Role details

admin Role

The admin role enables a User to interact fully with the symflow CLI, including:

  • Full CRUD for Services, Users, Resources, and Domains
  • Setting Roles for other Users (e.g. creating other admin Users)
  • Applying Terraform to update an Organization's Sym configuration.

In addition, admin Users can initiate requests from Slack or the Sym API, and can always interact with the approval dialog in Slack.

This role is usually held by the implementer, who will need to push Sym configuration changes via terraform apply.

member Role

The member role lets users make access requests, and allows them to interact with the approval dialog in Slack if the get_permissions Reducer is configured to allow it. Members cannot run terraform apply, or change configurations via symflow CLI.

This role is usually held by team members who need to make access requests and/or approve access requests made by other team members.

guest Role

The guest role conditionally lets users interact with the approval dialog in Slack. By default, guests are not allowed to interact with the approval dialog. Guests can never initiate an access request.

This behavior can be controlled by the get_permissions Reducer, where guests can be given permission to approve, deny, or revoke requests. When permission is not explicitly granted, guests' clicks will be ignored, and they will receive a DM explaining why.

Permissions table

terraform apply configuration changesX
Make access requestsXX
Approve/Deny/Revoke access in approval dialogXX (conditionally)X (conditionally)
Change other users' rolesX