Panelica implements a comprehensive role-based access control (RBAC) system that controls what each user can see and do. The system operates on two levels: role-level permissions (apply to all users of a role) and user-level overrides (apply to individual users, can be temporary).
Four roles in descending privilege order:
- ROOT — Full server access. Always has access to all pages and features (cannot be restricted).
- ADMIN — Creates and manages RESELLERs and USERs. Can only see accounts they created.
- RESELLER — Creates and manages end USERs. Can only see users they created.
- USER — End user. Manages their own domains, email, databases, and files.
Each role can only see resources created by themselves or by users in their hierarchy chain. An ADMIN cannot see another ADMIN resources. This is enforced at both API and database level using the created_by chain.
- Default Role Permissions — Each page has a default set of allowed roles defined in the database
- Role Permission Overrides — ROOT can override defaults for any role (allow, deny, or inherit)
- User Permission Overrides — ROOT can set per-user overrides with optional expiration dates
Permission states: Allow (grant access), Deny (block access), Inherit (use defaults, role-level only).
Every sidebar section is a permission category with individually controllable pages:
- Dashboard — Main dashboard (default: all roles)
- Users — User list, create, edit, profile (default: ROOT/ADMIN/RESELLER)
- Plans — Plan list, create, edit (default: ROOT/ADMIN/RESELLER)
- Domains — Domain list, create, edit, DNS, SSL, subdomains, redirects, Cloudflare (default: all roles)
- Email — Accounts, forwarders, autoresponders, queue, routing, spam, mailing lists, settings
- Databases — MySQL databases, database users, remote MySQL
- Files — File manager, FTP accounts, disk usage
- Backup — Create, restore, schedules, snapshots, activity log, migration, remote storage
- Security — Firewall, ModSecurity, IP blocking, antivirus, Security Advisor, AppArmor, audit logs
- Monitoring — Monitoring dashboards, resource usage, process manager, panel logs, error logs, access logs, bandwidth
- Tools — Web terminal, SSH access, cron jobs, PHP settings, package manager, server info
- Web Server — Settings, PHP configuration, Apache modules, WAF
- WordPress — 8 pages (installations, install, themes, plugins, updates, backup, staging, security)
- Docker — 11 pages (manager, containers, images, compose, templates, networks, volumes, etc.)
- Git — 7 pages (manager, repositories, deployments, pipelines, environments, keys, settings)
- Developer — API management, webhooks
- Settings — Panel settings, license, page permissions
- Support — Documentation, system updates
Beyond page-level access, individual actions within a page can be controlled:
Domain edit features (21+ sub-features): IP address, document root, maintenance mode, Nginx/Apache config, PHP version, PHP limits, INI editing, SSL issue/upload/renew, DNS CRUD, subdomain CRUD, ModSecurity toggle/rules
File manager features (10): browse, create, read, write, rename, delete, copy, move, upload, download
Backup features: incremental backup, encryption, sync view
Other examples: ssl.auto_issue, ssl.custom_upload, user.impersonate, terminal.root_access
This ROOT-only page is the master control panel:
Left panel: Navigation tree with search bar, 18 expandable categories, color-coded status indicators (green=allowed, red=denied, yellow=mixed)
Right panel: Role selector (ADMIN/RESELLER/USER), Allow/Deny/Inherit toggle buttons per page, expandable feature groups with individual toggles, statistics dashboard, reset to defaults button
Smart filtering ensures ADMIN cannot grant admin creation permissions, RESELLER can only grant USER creation.
In the User Edit page, ROOT users see a Permissions tab with two sections:
Page Overrides:
- Table showing active overrides: page name, category, permission badge (Allow/Deny), reason, expiry date or "Permanent", who set it
- Expired overrides shown with reduced opacity and "Expired" badge
- Add Override button opens a modal with: page selector dropdown, permission toggle, reason field, optional expiration date picker
- Delete button to remove individual overrides
Feature Overrides:
- Same structure as page overrides but for individual features
- Allows granting or denying specific capabilities per user
User overrides support expiration dates:
- Set an expiry — permission automatically reverts to role defaults after that date
- Useful for granting temporary access (e.g., "allow terminal access for 7 days")
- Expired overrides are visually marked but remain until manually deleted
Every permission change is logged: action type (grant/revoke/modify), target (role or user), old and new values, who made the change, timestamp and IP address.
- Check user_page_overrides (non-expired override for this user + page)
- Check role_page_permissions (explicit role override)
- Check pages.default_roles (role in default list)
- First match wins. If all fail, access denied.
User-level deny beats role-level allow. The sidebar dynamically hides denied pages, and the backend API also enforces permissions on every request.
If you encounter any issues with this feature, please open a report in the Bug Reports forum.
---
For issues with this feature, please report in the Bug Reports forum.
Last edited: