Overrides

Permission Overrides

Grant or deny specific capabilities to individual users independent of their roles. Perfect for temporary access elevation, emergency permissions, or user-specific restrictions.

What are Permission Overrides?

Overrides are user-specific permission exceptions that bypass role-based grants. They allow you to:

Grant Temporary Access

Give a user higher permissions temporarily without changing their role. After the time period expires, permissions revert automatically.

Emergency Access

During incidents, quickly grant a trusted user elevated capabilities without modifying the entire permission policy.

User-Specific Restrictions

Deny specific capabilities to a user even if their roles normally allow it. Useful for probation or limiting compromised accounts.

Scoped Exemptions

Allow a user to perform an action in a specific channel only. Override applies only to that scope, not server-wide.

Overrides vs Grants: When to Use Each

Understand the difference to use the right approach:

Use Grants When...

  • Permission is needed by multiple users with the same role
  • Permission should be permanent for the role
  • You're building your permission policy structure

Use Overrides When...

  • Permission is needed by one specific user only
  • Permission should be temporary (e.g., 24 hours)
  • You need emergency or one-time access

Summary: Grants define your policy (permanent, role-based). Overrides handle exceptions (temporary, user-specific).

Creating an Override

Follow this process to grant or restrict a user's capability:

1.Navigate to Overrides Tab

Go to RBAC Dashboard → Overrides tab

2.Click "Create Override"

Green button at top of Overrides tab

3.Select User

Searchable dropdown (SearchableSelect) to find the user by username, display name, or user ID. Shows member count and join date for verification.

4.Choose Capability

Searchable dropdown to select the capability you're overriding. Shows risk tier and description.

Tip: Only override capabilities the user doesn't already have via grants.

5.Select Effect

Radio buttons for ALLOW or DENY:

  • ALLOW: User can perform this capability despite role restrictions
  • DENY: User cannot perform this capability even if role allows

6.Set Scope (Optional)

Dropdown to limit override to specific scope:

  • GUILD: Override applies server-wide
  • CATEGORY: Override applies to specific category only
  • CHANNEL: Override applies to specific channel only

7.Set Expiry (Optional)

DateTime picker to set when the override automatically expires.

Leave blank for permanent override. Set date/time for auto-expiry.

8.Add Reason (Optional)

Text field to document why this override exists. Useful for audit trail and future reference.

9.Submit

Click green "Create Override" button. Override takes effect immediately.

Time-Limited Overrides

Set overrides to automatically expire, useful for temporary access elevation:

Setting Expiry

When creating or editing an override, use the "Expires At" field (datetime picker):

  • Click to open calendar and time selector
  • Set the exact moment you want the override to expire
  • Leave blank for never-expiring (permanent) override

Auto-Expiry

When the expiry time arrives, SYNTHET automatically:

  • Marks the override as "expired"
  • Removes the capability grant from the user
  • Logs the expiry in the audit trail

Expiry Badges

In the Overrides list, time-limited overrides show visual indicators:

  • Green badge: Expires in more than 24 hours
  • Yellow badge: Expires in 1-24 hours
  • Red badge: Expired or expiring within 1 hour
  • Gray badge: Permanent (no expiry)

Tip: Use 24-hour expiry for temporary emergency access. Set to next maintenance window for access needed during specific time periods.

Override List & Management

View and manage all active overrides in the Overrides tab:

Override Table

Displays all overrides with columns:

  • User: Username and user ID
  • Capability: Which capability is overridden
  • Effect: ALLOW (green) or DENY (red)
  • Scope: GUILD, CATEGORY, or CHANNEL
  • Expires: Expiry time with badge indicator
  • Reason: Brief description if provided

Filtering & Searching

Search overrides by user name, capability, or status (active, expired).

Edit Override

Click an override row to expand and edit. Can modify effect, scope, expiry, or reason. Changes take effect immediately.

Remove Override

Click "X" or "Remove" button next to override. Removal is logged in audit trail with timestamp.

Expired Overrides

Expired overrides are shown separately (with gray/crossed out styling) but retained in history. You can:

  • Reactivate expired override by editing and setting new expiry
  • Delete to remove from list entirely
  • View in audit log for historical reference

Override Audit Trail

Every override action is logged for security and compliance:

What Gets Logged

For each override action:

  • User who created/modified the override
  • Target user (who the override applies to)
  • Capability being overridden
  • Effect (ALLOW/DENY)
  • Scope and any scope-specific details
  • Expiry time (if applicable)
  • Reason provided
  • Action (created, modified, expired, deleted)
  • Exact timestamp

Viewing Audit Logs

Go to RBAC Dashboard → Audit tab. Filter by "Override" action type to see all override changes. Search by user to see all overrides granted to/by a specific user.

Best Practice: Always add a clear reason when creating overrides. Makes audit logs useful for future review.

Common Override Use Cases

Examples of when to use overrides:

Emergency Admin Access

During a server incident (massive raid, attack, etc.):

Grant a trusted member temporary RBAC management capabilities with 2-hour expiry. After incident resolution, override automatically expires.

Temporary Channel Manager

A member needs to manage a specific event channel (#event-2024):

Grant "moderation.manage_channel" override scoped to #event-2024 with expiry at end of event. Regular mods don't have this capability.

User Probation

A member was caught abusing a permission:

Grant DENY override for that capability with 7-day expiry. After probation, override expires and they regain the capability.

Bot Hotfix Access

Your bot malfunctioned and needs manual intervention:

Grant a developer ALLOW override for "bot.restart" until the issue is fixed, then remove. More granular than giving full bot admin rights.

New Admin Onboarding

A new admin is being trained:

Grant "rbac.manage" override for 7 days so they can configure permissions during training. Expires automatically after training period.

Override Best Practices

  • 1.Always provide a reason: Document why the override exists for future auditing
  • 2.Use expiry dates: Don't create permanent overrides unless absolutely necessary. Temporary is safer.
  • 3.Scope narrowly: Override for a specific channel/category when possible, not GUILD-wide
  • 4.Use overrides sparingly: If you're creating many overrides for a role, consider creating a proper role grant instead
  • 5.Review regularly: Check active overrides monthly. Remove obsolete ones.
  • 6.Monitor audit logs: Check who created overrides and for what reasons regularly
  • 7.Alert on high-risk overrides: CRITICAL capability overrides should have explicit documentation and approval
  • 8.Prefer DENY for probation: Denying a capability is safer than allowing during probation periods
← Roles & GrantsCapability Catalog →