⚖️Role Hierarchy

Hierarchy of permissions applies to Administrators, while the Server Owner is the only user completely immune. Hierarchy rules can be used to ones advantage while building a server.

Web3 Discord Build

Web3 Hierarchy

Role Hierarchy provides an opportunity to structure Discord in a secure manner which protects verified users from unverified while staggering high-threat roles in preparation of attacks. Roles are positioned to do the least harm if compromised by phishing attacks or DMs (Direct Messages).

Server Owner & Hidden Admins

The highest threat to security, Server Owner, is kept offline (COLD) and off the table, while high threat roles/permission are layered out of reach from one another. These accounts are used only during operating hours, only used in one server (WARM), and given to trusted operators.

Vanity Roles

These roles are visible to all within the server, easy to identify and not always true to their permissions and considered Vanity. For instance, Vanity Admin and Moderator do NOT have true administrator access.

Breaking Down Roles

Server Owner (Cold)

Consider this account to be the private key or seed phrase. Only used when first setting up the Discord and in the case of transferring ownership over. The Owner has absolute authority that supersedes all roles and therefore does NOT need to have a role or be easily identifiable.

2FA Requirement for Moderation should always be enabled, all users should use 2FA, this alone will NOT offer immunity to attacks.

2FA using SMS is vulnerable to social engineering. 2FA can be bypassed if a user has Discord key and/or social engineering. Authenticator apps are preferred, Yubikeys/physical authenticators are best (unfortunately don't work with Discord yet)

+ (Hidden Admin/Warm)

The only role with Administrator permissions, does not show up visible on the right-side user list and is used only by those building and maintaining the Discord on the backend. Users with this role should be limited as each additional Admin adds a potential point of failure.

Admins should have only (1) account, specifically used only for the server they work in. Their DMs should always be off and they should NEVER accept random friend requests. Operating this account outside of work creates additional attack points and opportunities for failure.

++ (Hidden Channel Admin/Warm/Temporary)

This role does NOT have Administrator permissions, this role cannot create/add/edit channels. This role is given only to those who operate in high-risk channels, such as #Announcement Channels. It can be a temporary role given to users as needed for announcements.

Bots

Bots are required to mitigate threats such as raids, spam, advertising, restricting links/language, staff impersonation, as well as enforcing the join gate and providing additional security tools. Few bots require Administrator, this should be avoided whenever possible.

Other dangerous permissions bots may require: Manage Webhooks, Manage Channels, and Manage Roles. Some of these only temporarily need these roles, others such as token-gated verification bots may require them at all times. Role hierarchy is used to protect and separate high-threat user roles from bots, and high-threat bots from other bots and users.

Vanity Team Roles (Hot)

Admin, Team, Moderator roles that are visible to all within the server. It's essential these roles be identifiable to users, especially those who are moderating and answering questions/assisting users. These users do NOT need Administrator, Manage Channels/Roles/Webhooks, etc.

A user within these roles could be given ++ hidden roles if they needed these permissions, but day-to-day operators don't need Administrator or Manage permissions.

Moderators (hot)

In addition to no Administrator and/or Manage Webhooks/Channels/Role permissions, Moderators don't need to have access to high-impact, high-threat channels such as Announcements, Official Links, Security/Education Channels etc.

Furthermore, Moderators mute/kick/ban permissions could be all done through an automod bot command instead of directly giving them these permissions. This role is most likely to be compromised and the more limited it is in abilities, the less of a risk it is to the server.

Token-gated roles are monitored by Collab.land/Vulcan (ETH) Matrica (Sol) and/or Custom Verification Bots. Server Boosters are monitored by Discord itself. Collab.land with Tokenproof is the safest third-party option.

Token Holders/Server Boosters (paid roles)

These users are less likely to cause problems and can have access to gifs/links/images or other permissions / access to channels with less strict automod rules. Still all users, including staff are limited to which links they can post.

Verified Users

All users who complete and pass the join gate receive this role. Ideally the join gate blocks bots while causing the least amount of friction to true human users. It is preferred all verification is handled within Discord itself, not through DMs or third-party websites.

A join gate is a test that should be as frictionless as is possible for humans while ensuring bots will fail. Verification is achieved through reactions, captchas, or using a specified command.

Unverified Users

All users that join Discord, before passing a join gate are unverified. Servers should be setup to restrict and separate verified from unverified users making it more difficult for DM contact and ensuring unverified users are NEVER able to chat directly in the server with verified users.