When creating your own discord server, you have probably had to create your own roles and assign permissions to them. Sometimes however the permissions and roles just don’t seem to work as they are supposed to; the ‘muted’ role isn’t muting the user (although this has mostly been resolved with Discord officially introducing the Timeout system), or channel permissions not quite lining up to all the roles that should have access. These are fairly common frustrations that server owners have to deal with.
This guide will explain the permission system and how to effectively assign these privileges to roles. By the end of this article, you will not only know the how, but also the why behind each setting.
Roles & Permissions
In order to understand the admittedly complex interactions between roles and permissions, we need to understand what each of them are.
Roles:
In essence, roles are a named title system that acts sort of like a keycard system giving different levels of access to users with it. They also provide a helpful visual hierarchy on the Member List tab on the right (image below).
The primary function is to define what a user is and is not allowed to do on your server. A “Moderator” role for instance will have the permission to delete messages and timeout users, while a standard member role will likely only have permissions to view chats, send messages or images and react.
Beyond function, they have distinct visual attributes that can shape how your community works.
- Color: Each role can have a color. A member’s username will adopt the color of the highest-ranking role they have. Recently, Discord updated this for boosted servers and the role color can now be a gradient of two colors.
- Sections: Members with certain roles can be displayed separate from other online members or even other roles in separate sections on the Member List.
A well designed role structure can do more than just control actions, it builds your community’s identity.
Permissions:
Permissions are the specific privileges that are granted through roles. They are individual toggles for most actions that can be performed on a server. Discord’s permission system is quite layered; permissions can be set broadly server-wide via roles, then overridden with specific rules for each channel, and then still give special permissions to specific users (not recommended to do this). Having this kind of flexibility is very convenient, such as granting a role the permission “Send Messages” for every other channel except for an #announcements channel.
Keep in mind that the server creator inherently possesses all permissions regardless of roles. The Administrator permission is the closest equivalent if you are trying to give high authority to multiple people on your server.
The “@everyone” Role:
Every server has a special universal role called “@everyone”. This is automatically assigned to every member the moment they join. It functions as a baseline for the permission system, usually it has some basic permissions like sending messages and uploading images.
There are two ways to configure this role:
- Additive: The “@everyone” role is given minimal to no permissions. New roles are created to progressively add permissions, for example a “Verified Member” role that expressly grants the ability to chat. This is a good approach from a private server set up, such as one with just you and your friends.
- Subtractive: The “@everyone” role is granted general permissions. Administrators then use channel-level overrides to subtract permissions, such as denying Send Messages in #announcements or removing access to Moderator only channels. This is a better option for community servers where members are able to freely join. Be careful when managing permissions however.
The choice of these two approaches will depend on the type of server you are trying to make. A more accessible server vs. a more secure server.
The Hierarchy
This is the most confusing part of server management, there are layers of control that will decide the permissions for Members.
Three Layers of Control:
Permissions are applied in three distinct layers:
- Server Level Permissions: The broad layer, set in Server Settings > Roles. A user’s total server level permissions are the sum of all permissions granted by all roles they possess.
- Category Level Permissions: Categories are like folders for channels. All synced channels inside the category inherit the permissions assigned to the category. This allows for efficient management of sections of your server.
- Channel Level Permissions: This is the most granular layer, they override all existing permissions and are set directly for each individual channel. They will always take precedence over conflicting permissions set at category or server level.
Override System:
At the category and channel levels, permissions have three states:
- Red X (Deny): An explicit denial. This permission is forcefully turned off for this role in this channel.
- Green Check (Allow): An explicit grant. This permission is forcefully turned on for this role in this channel.
- Grey Slash (Neutral): This is the most misunderstood state. It does not mean it will automatically use the server level permission. It means that it will look up the inheritance ladder for an opinion. So for channel levels, it will look to category level. For category level, it will look server level.
Role Hierarchy Myth:
A common and persistent myth is that the visual order of the roles in either Server Settings or on the Member List dictates their power or hierarchy in every situation. Not necessarily. For most channel permissions like View Channel, Send Messages, etc, the visual role hierarchy is irrelevant to the final outcome.
Permission Calculation Order:
When deciding a user’s permission level, Discord follows this sequence. The first step on the list that yields an opinion on whether to allow or deny ends the process.
- User Specific Permissions: First, it checks for an override applied directly to the user, not any role, for that channel. If one exists, that is used.
- Channel Specific Role Permissions: If not, all of the user’s roles are examined. If any role has an explicit allow or deny for that permission on that channel, that is used.
- @everyone Permissions: If all of the users roles have gray slashes on the channel or category level, Discord checks the @everyone permissions for that channel.
- Server Level Permissions: If all channel level, category level and @everyone permissions are set to neutral, it falls back to the user’s server-level permissions (sum of all their roles).
This order can be used to explain the classic “Muted Role” Problem. A “Muted” role that only denies Send Messages on the server level will usually not work, because the user’s Member role still grants it at the server level. The solution is to explicitly deny permissions at the channel or category level.
A Setup Guide
Now that we have gone over what does what and how it works, we can translate that knowledge into a proper functional server structure.
Creating the First Roles:
- Go to Server Settings > Roles.
- Press the Create Role button to add a new role to the list.
- From there, it should directly take you to role editing. You can customize the name, color, and permissions here.
- Once you are done, click save changes at the bottom to apply your settings.
Structuring the Community:
The common and effective system uses a three tiered format; Member, Moderator and Admin:
| Role Tier | Purpose | Recommended Permissions (Allow) | Permissions to avoid |
| Member | General participation for all verified users. | View Channels, Change Nickname, Send Messages, Read Message History, Connect, Speak, Use Application Commands | Any Manage permissions, Kick/Ban Members, Mention @everyone |
| Moderator | Trusted community managers who enforce rules. | All Member permissions, plus: Manage Messages, Timeout Members, Kick Members, Mute Members, Deafen Members, Move Members, Manage Threads | Manage Roles, Manage Channels, Manage Server, Administrator |
| Admin | Highly trusted co-managers who handle server architecture. | All Moderator permissions, plus: Manage Channels, Manage Roles, Manage Server, View Audit Log, Ban Members | Administrator (Grant this only if you trust the user as much as yourself, or more) |
The Administrator permission is most dangerous. It grants every permission and bypasses all channel overrides. It should be reserved only for the server owner(s).
Role Exclusive Channels:
Creating private channels is the best way to segment your server into specific groups.
- When creating a channel, toggle Private Channel to on.
- Select the roles that should have access to this channel. Discord should automatically configure necessary permissions.
To make an existing channel private, you have to manually edit permissions. Deny View Channel for @everyone and Allow View Channel for roles that should have access. It is also possible to do this for an entire category.
Using Bots for Auto-Roles:
For larger servers with hundreds or thousands of members, it is impractical to assign roles to everyone individually. Bots can be used to set up a verification system, filter out bots (Yes I know, ironic), spam and make sure new Members at least glance at the rules. A common setup is letting the @everyone role only have access to a #rules channel. Then have any popular bot such as Dyno or YAGPDB.xyz assign Member roles to users who react to a message, thus granting them access to the rest of the server.
A Breakdown of Important Permissions
Understanding the use and risk associated with important permissions is vital:
| Permission Name | Function | Risk Analysis & Abuse Potential | Danger Level | Recommended Role Assignment |
| Administrator | Grants all permissions and bypasses all channel/role restrictions. | The ultimate key. A user with this can instantly destroy a server, delete channels, ban all members, or add malicious bots. | Ultra Pro Max | Server Owner only |
| Manage Server | Allows changing server name/icon, adding bots, and editing AutoMod rules. | Can be used to deface the server, remove all moderation rules, or add a “nuke bot” to destroy the server. | Extreme | Admin |
| Manage Roles | Allows creating, editing, and deleting roles below their own. | Can delete essential roles (unrecoverable) or grant dangerous permissions to other users, escalating a security breach. | Extreme | Admin |
| Manage Channels | Allows creating, editing, and deleting channels and categories. | A malicious user can delete every channel on the server, an action that is irreversible. | Extreme | Admin |
| Manage Webhooks | Allows creating, editing, and deleting webhooks. | Webhooks can bypass AutoMod to spam @everyone pings and malicious links, a prime vector for raids and scams. | Extreme | Admin |
| Ban Members | Allows permanently banning users from the server. | Can be used to maliciously remove key members of the community. Banned users cannot rejoin unless unbanned. | High | Admin |
| Kick Members | Allows temporarily removing users from the server (they can rejoin). | Can be used to disrupt the community or mass-remove users via the “Prune” feature as an act of vandalism. | High | Moderator, Admin |
| Mention @everyone, @here, and All Roles | Allows sending notifications to the entire server or specific roles. | This is the primary tool used in “mention raids” to harass all server members. A hallmark of a compromised account. | High | Admin |
| Manage Messages | Allows deleting messages from other users and pinning messages. | Can be used to silently censor users or systematically delete channel history, which is unrecoverable. | High | Moderator, Admin |
| Timeout Members | Allows preventing a member from speaking or sending messages for a set duration. | A core moderation tool, but can be abused to silence users without cause. | Medium | Moderator, Admin |
| Manage Nicknames | Allows changing the nicknames of other members. | Can be used for harassment or to impersonate other users by changing their display names. | Medium | Moderator, Admin |
| Attach Files | Allows uploading files and media. | Can be used to upload malicious files (e.g., malware) or explicit content. | Low to Medium | Member, Moderator, Admin |
| Video | Allows sharing screen or using a webcam in voice channels. | No automatic moderation for video streams, so it can be used to display unwanted or explicit content. | Low | Member, Moderator, Admin |
| Manage Events | Allows editing and deleting all server events. | Can be abused to disrupt scheduled community events. | Low | Moderator, Admin |
Make sure to note the distinction between reversible actions, such kicking a member, and irreversible actions like deleting a channel. Be very careful as to who gets power of taking irreversible actions.
Security & Best Practices
To avoid undesirable outcomes, server owners need to be aware of some best practices and how to prevent getting into situations where that may happen.
- Principle of Least Privilege (PoLP): This is a principle that suggests that any account should have only the bare minimum permissions required to interact with the server. In effect, this means that you should adopt the Additive model where possible; starting with a restrictive permissions set and deliberately adding permissions carefully.
- Harden Safety: In Server Settings > Safety Setup, you can toggle on Require 2FA for Moderation. This will help prevent compromised accounts from having a moderation role or higher in your server. You can also set Server Verification Level to Medium or above to filter out spam bots. Configure AutoMod to block Malicious Links and Keywords.
- Be Cautious of Bots: Apply PoLP to bots as well. Do not grant a mod Administrator unless absolutely required. Only install bots from reputable sources. For bots to manage roles, its own role must be higher than the roles it manages. You can use Server Settings > Integrations to limit access to powerful bot commands to specific roles.
- Audit Setup: DIscord has a feature to be able to View Server as Role. Use this to verify roles are not able to do anything they are not supposed to. Review Audit Log regularly to ensure your moderators aren’t doing things they are not supposed to.
Conclusion
Creating and managing a Discord Server is no easy task. The difficulty scales with the more members that join. It is important to understand how permissions work and how they interact with roles in order to achieve the effect you want. Securing a community, especially in the wild landscape that is the internet, is a process. Only by regularly checking up on the nitty gritty of your server continuously will you be able to succeed.
