Simulator

Permission Simulator

Test RBAC permission decisions safely without affecting real users. The Simulator shows exactly how SYNTHET evaluates a user's capabilities, helping you understand and debug your permission policy.

What is the Permission Simulator?

The Simulator is a safe sandbox environment for testing permission checks. You can:

Test Permission Decisions

Enter a user ID and capability to see if SYNTHET would ALLOW or DENY. No actual action is taken.

Debug Permission Issues

When a user reports "I can't do X", use the Simulator to understand why. See the exact decision path and reason code.

Validate Policy Changes

Before granting a new role permissions, simulate what they would be able to do. Catch mistakes before they affect real users.

Test Overrides

Before creating a user override, test it in the Simulator to ensure it has the intended effect.

Key Point: The Simulator is completely safe. It shows what would happen, but doesn't actually grant or deny anything.

How to Use the Simulator

Access the Simulator from the RBAC Dashboard:

1.Navigate to Simulator Tab

Go to RBAC Dashboard → Simulator tab

2.Enter User ID

Input field to enter the Discord user ID you want to test. Can use username or user ID (shown after @).

Example: 123456789012345678 or @username

3.Select Capability

Searchable dropdown (SearchableSelect) to choose the capability to test. Shows risk tier and description.

Example: moderation.ban, economy.admin, rbac.manage

4.Set Scope (Optional)

Optional selector for scope (GUILD, CATEGORY, or CHANNEL). If testing a scoped capability:

  • Leave blank for GUILD-wide scope (default)
  • Select CATEGORY: Choose a category to test
  • Select CHANNEL: Choose a channel to test

5.Run Simulation

Click green "Simulate" button. SYNTHET evaluates the permission without changing anything.

Understanding Simulation Results

The Simulator shows detailed decision information:

Final Decision

Large badge at top shows: ALLOW or DENY

This is the same decision SYNTHET would make if the user actually tried this action.

Reason Code

Explains why the decision was made (e.g., RBAC_GRANT_ALLOW, OVERRIDE_DENY, ADMIN_BYPASS, DEFAULT_PUBLIC). Same codes as in audit logs.

Actor Information

Shows the test user's current state:

  • Discord roles they have (listed with colors)
  • Whether they're server admin
  • Whether they're server owner
  • Any active overrides for this capability

Resource Information

Shows what resource was being tested (GUILD, specific CATEGORY, or specific CHANNEL).

Decision Path

Step-by-step breakdown of how SYNTHET evaluated the permission:

  • 1.Checked overrides first — found or not found
  • 2.Checked admin bypass — eligible or not
  • 3.Evaluated grants by role priority (highest first)
  • 4.Checked default public setting
  • 5.Final decision

Grant Evaluation Details

For each role checked, shows:

  • Role name and priority
  • Does it have a grant for this capability? Yes/No
  • If yes, is it ALLOW or DENY?
  • Scope of grant (GUILD, CATEGORY, CHANNEL)
  • Whether grant applies to tested scope

Example Simulation Scenarios

Common situations where the Simulator is helpful:

Scenario: User reports "I can't ban people"

How to debug:

  1. 1.Simulate: Enter user ID + capability "moderation.ban"
  2. 2.Result shows DENY. Reason code "NO_GRANT"
  3. 3.Check decision path: Their role (e.g., Moderator) has no "moderation.ban" grant
  4. 4.Go to Roles tab, expand Moderator, add "moderation.ban" grant
  5. 5.Re-simulate to confirm it now shows ALLOW

Scenario: Testing a new grant before applying

Workflow:

  1. 1.You want to give Moderator role "economy.adjust_balance" capability
  2. 2.Test with Simulator first: User with Moderator role + "economy.adjust_balance"
  3. 3.Currently shows DENY (no grant yet). Verify this is correct.
  4. 4.Add grant to Moderator role for "economy.adjust_balance"
  5. 5.Re-simulate: Now shows ALLOW
  6. 6.Confirmed safe. Apply to production.

Scenario: Checking if override will work

Workflow:

  1. 1.You want to give Alice temporary RBAC management capability
  2. 2.Simulate: Alice + "rbac.manage" → Currently shows DENY
  3. 3.Create override: ALLOW "rbac.manage" for Alice, 24-hour expiry
  4. 4.Re-simulate: Now shows ALLOW, reason "OVERRIDE_ALLOW"
  5. 5.Confirmed. Tell Alice she can now manage RBAC until tomorrow.

Scenario: Checking admin bypass behavior

Workflow:

  1. 1.Admin bypass is enabled in your policy
  2. 2.Simulate: Admin user + any capability
  3. 3.Result shows ALLOW, reason "ADMIN_BYPASS"
  4. 4.Now disable admin bypass in Setup tab
  5. 5.Re-simulate: Same admin, now shows result based on actual grants

Simulator Tips & Tricks

Make the most of the Simulator tool:

Batch Testing

Test multiple users/capabilities in succession. Good for validating grants before applying to production.

Decision Path Analysis

When result is unexpected, carefully review the decision path. Often reveals misconfigured grants or priority issues.

Test Edge Cases

Test with different scopes (GUILD vs specific CHANNEL) to ensure scoped grants work correctly.

Test Bot Permissions

Use Simulator to check what bots can do. Ensure they only have necessary capabilities.

Simulate After Changes

Always re-simulate key tests after changing policy. Confirms changes had intended effect.

Pro Tip: Create a "test user" Discord account for regularly testing Simulator. Use this account to validate policy changes safely.

Simulator Limitations & Notes

Important to understand what the Simulator does and doesn't do:

No Side Effects

Simulator only shows what would happen. It doesn't actually grant permissions or perform actions. Completely safe.

Uses Current Policy

Simulator evaluates against your current policy. If you've made unsaved changes to grants, Simulator uses the saved version.

Real User Data

When you enter a user ID, Simulator fetches their real Discord roles and data. Results reflect actual user state.

No Time-Based Overrides

Simulator tests immediately. Time-limited overrides are evaluated as if they're running right now. May show DENY if override already expired.

Important: Simulator is a tool for testing policy logic, not for predicting real-world behavior. Always audit logs after deploying policy changes to confirm actual behavior matches expectations.

Best Practices for Using Simulator

  • 1.Test before deploying: Always simulate critical grants before applying to production roles
  • 2.Test key roles: Regularly simulate permissions for your main roles (Moderator, Admin, Bot)
  • 3.Document test cases: Keep notes on what you tested and expected results
  • 4.Test with real users: When debugging user issues, simulate their exact setup
  • 5.Verify after changes: After any policy change, re-simulate critical scenarios
  • 6.Cross-check with audit logs: Compare Simulator results with actual audit logs to validate behavior
← RBAC Audit LogRBAC Dashboard UI Guide →