firefrost-operations-manual/docs/tasks/department-structure-&-access-control-matrix/access-control-matrix.md

Firefrost Gaming - Access Control Matrix

Version: 1.0
Status: Planning
Last Updated: 2026-02-17
Purpose: Technical permissions mapping for all systems and roles

---

How to Read This Matrix

Format: Role → System → Permission Level

Permission Levels:

• ❌ No Access - Cannot view or interact
• 👁️ Read Only - Can view, cannot modify
• ✏️ Read/Write - Can view and modify assigned resources
• 🔧 Admin - Can view, modify, and configure
• 🔑 Root - Full control, including security and infrastructure

---

Discord Access Matrix

Role	General Channels	Staff Channels	Moderation Tools	Server Settings	Roles/Permissions
Founding Partners	🔑	🔑	🔑	🔑	🔑
Moderators	✏️	👁️	🔧 (kick, timeout, mute)	❌	❌
Game Admins	✏️	👁️	❌	❌	❌
Builders	✏️	👁️ (builder channels)	❌	❌	❌
Social Media	✏️	👁️ (social channels)	❌	❌	❌
Support Team	✏️	👁️ (support channels)	❌	❌	❌
Subscribers	✏️	❌	❌	❌	❌

Notes:

• Moderators cannot ban (escalate to Founding Partners)
• Staff channels segmented by department
• All staff can see announcements channel

---

Pterodactyl Panel Access Matrix

Role	Panel Access	Server List	Console Access	File Manager	Server Settings	User Management	Node Management
Founding Partners	🔑	🔑 All servers	🔑	🔑	🔑	🔑	🔑
Game Admins	🔧	👁️ Assigned only	🔧 Assigned only	✏️ Configs only	✏️ Limited	❌	❌
Builders	✏️	👁️ Creative servers	✏️ Creative only	✏️ Creative only	❌	❌	❌
Others	❌	❌	❌	❌	❌	❌	❌

Specific Permissions - Game Admins:

• ✅ Start/stop/restart server
• ✅ View console logs
• ✅ Send console commands
• ✅ Edit server.properties, mod configs
• ✅ Access server files (read/write)
• ❌ Delete servers
• ❌ Allocate resources (RAM/CPU)
• ❌ Change server owner
• ❌ Access other servers

Specific Permissions - Builders:

• ✅ Full access to assigned creative servers
• ✅ Install/remove mods (creative only)
• ✅ Upload/download world files
• ❌ Access production servers
• ❌ Change resource allocation
• ❌ Access other builders' servers

---

Wiki.js Access Matrix

Role	Public Pages	Staff Area	Ops Docs	Community Docs	Content Docs	Admin Panel
Founding Partners	🔑	🔑	🔑	🔑	🔑	🔑
Game Admins	👁️	👁️	✏️	👁️	👁️	❌
Moderators	👁️	👁️	👁️	✏️	👁️	❌
Builders	👁️	👁️	👁️	👁️	✏️ Builder section	❌
Social Media	👁️	👁️	👁️	👁️	✏️ Social section	❌
Support Team	👁️	👁️	👁️ FAQ only	👁️	👁️	❌
Subscribers	👁️ Subscriber wiki	❌	❌	❌	❌	❌

Page Structure:

/public (subscribers.firefrostgaming.com)
├─ Getting Started
├─ Modpack Guides
├─ Rules
└─ FAQ

/staff (staff.firefrostgaming.com)
├─ /operations
│  ├─ Server Management
│  ├─ Troubleshooting
│  └─ Procedures
├─ /community
│  ├─ Moderation Guide
│  ├─ Event Planning
│  └─ Conflict Resolution
├─ /content
│  ├─ /builders
│  │  ├─ Design Guidelines
│  │  └─ Workflow
│  └─ /social-media
│     ├─ Brand Voice
│     └─ Content Calendar
└─ /general
   ├─ Onboarding
   ├─ Team Directory
   └─ Policies

---

Gitea (Operations Manual) Access Matrix

Role	Read Access	Write Access	Admin Access
Founding Partners	🔑 All repos	🔑 All repos	🔑
Game Admins	👁️ Operations docs	❌	❌
All Other Staff	❌	❌	❌

Notes:

• Operations manual is primarily internal
• Claude instances have scoped access as appropriate
• Wiki.js is the staff-facing documentation platform

---

Uptime Kuma (Monitoring) Access Matrix

Role	Dashboard View	Alert Config	Service Config	Admin
Founding Partners	🔑	🔑	🔑	🔑
Game Admins	👁️ All services	❌	❌	❌
All Other Staff	👁️ Public status page	❌	❌	❌

Public Status Page: status.firefrostgaming.com

• Shows server status for all game servers
• No authentication required
• Read-only

---

Paymenter (Billing) Access Matrix

Role	Customer View	Order Management	Financial Reports	System Config
Founding Partners	🔑	🔑	🔑	🔑
All Other Staff	❌	❌	❌	❌

Notes:

• Billing is strictly founding partners only
• No delegation of financial access
• Customer data is protected

---

Whitelist Manager Access Matrix

Role	Access	Add Players	Remove Players	Toggle Whitelist	Bulk Operations
Founding Partners	🔑	🔑	🔑	🔑	🔑
Game Admins	✏️	✏️ Assigned servers	✏️ Assigned servers	✏️ Assigned servers	✏️ Assigned servers
Support Team	✏️ (if approved)	✏️ Request only	❌	❌	❌

Workflow for Support Team:

1. Receive whitelist request from player
2. Verify subscription status in Paymenter (read-only link)
3. Submit request to Game Admin or use Whitelist Manager if granted access
4. Confirm to player

---

Server SSH Access Matrix

Role	Command Center	TX1	NC1	Ghost VPS	Billing VPS	Panel VPS
Founding Partners	🔑 root	🔑 root	🔑 root	🔑 root	🔑 root	🔑 root
Server Ops (future)	🔧 sudo limited	🔧 sudo limited	🔧 sudo limited	❌	❌	❌
All Others	❌	❌	❌	❌	❌	❌

Server Ops Sudo Permissions (Future):

• ✅ Service restart (systemctl restart)
• ✅ Log viewing
• ✅ Process monitoring (htop, top)
• ✅ Disk usage checks
• ❌ User management
• ❌ Network configuration
• ❌ Firewall modifications
• ❌ Package installation (escalate to Founding Partners)

---

Social Media Accounts Access Matrix

Role	Buffer/Scheduler	Discord (Official)	Twitter/X	Instagram	TikTok	YouTube	Reddit
Founding Partners	🔑	🔑 Owner	🔑 Owner	🔑 Owner	🔑 Owner	🔑 Owner	🔑
Social Media Team	✏️ Scheduler only	✏️ Post only	✏️ Via Buffer	✏️ Via Buffer	✏️ Via Buffer	✏️ Contributor	✏️ Approved posts

Security Notes:

• Social Media Team does NOT have account passwords
• Access via Buffer or shared management tools only
• Cannot delete content or change account settings
• Cannot respond to DMs without approval

---

File Storage Access Matrix

Role	Google Drive	NextCloud	Vaultwarden
Founding Partners	🔑	🔑	🔑
Game Admins	👁️ Ops folder	❌	❌
Builders	👁️ Asset library	👁️ Assets folder	❌
Social Media	👁️ Brand assets	👁️ Media folder	❌
All Staff	👁️ Staff resources	❌	❌

---

API Keys & Credentials Access

Credential	Storage Location	Access
Pterodactyl API (Full)	Vaultwarden	Founding Partners only
Pterodactyl API (Scoped)	Vaultwarden	Game Admins (assigned servers)
Gitea API (Full)	Vaultwarden	Founding Partners only
Gitea API (Scoped)	Vaultwarden	Claude instances (scoped repos)
Discord Bot Token	Vaultwarden	Founding Partners only
Social Media APIs	Vaultwarden	Founding Partners only
Payment Gateway	Vaultwarden	Founding Partners only
DNS API	Vaultwarden	Founding Partners only

Security Principle: API keys are scoped to minimum necessary permissions whenever possible.

---

Emergency Override Access

Scenario: Founding Partner unreachable during critical incident

Procedure:

1. Document incident in detail
2. Take minimum necessary action
3. Notify Founding Partners immediately (all channels)
4. Lock any temporary elevated access after incident
5. Full post-mortem review

Who Can Override:

• No one currently
• Future: Designated emergency contact (to be defined)

What Can Be Overridden:

• None currently
• Future: Limited emergency procedures only

---

Access Request Procedures

Game Admin Requesting New Server Access

1. Submit request to Founding Partners
2. Justify need (assigned project, coverage, etc.)
3. Await approval
4. Access granted in Pterodactyl (scoped)
5. Logged in access control matrix

Builder Requesting Production Deployment

1. Complete build in creative server
2. Submit for review (screenshots + explanation)
3. Review by Michael or designated reviewer
4. If approved: Access granted for production deployment
5. Access removed after deployment complete

Staff Requesting Wiki.js Edit Access

1. Submit request with section needed
2. Justify need (documentation improvement, etc.)
3. Founding Partners review
4. Access granted (scoped to section)
5. Changes reviewed periodically

---

Access Revocation Procedures

Routine (Staff Departure)

1. Founding Partners notified of departure
2. All access revoked within 24 hours:
   • Discord roles removed
   • Pterodactyl access removed
   • Wiki.js access removed
   • Shared tool access removed
3. Incentive instance preserved for 30 days (data retrieval)
4. After 30 days: Instance deleted
5. Exit interview if appropriate

Emergency (Security Incident)

1. Immediate access revocation (all systems)
2. Password reset on all shared accounts
3. API keys rotated if compromised
4. Investigation conducted
5. Access restored if cleared, or termination

---

Audit & Compliance

Monthly Audit:

• Review Pterodactyl access logs
• Review Wiki.js edit history
• Verify no unauthorized access
• Check for dormant accounts

Quarterly Review:

• Full access matrix review
• Update based on org changes
• Remove unnecessary access
• Add new roles as needed

Annual Review:

• Complete security assessment
• Access control policy review
• Update procedures
• Staff training refresh

---

Technical Implementation

Pterodactyl Panel

Role Creation:

Role: Game Admin - TX1 Servers
Permissions:
- websocket.connect (assigned servers)
- control.console (assigned servers)
- control.start (assigned servers)
- control.stop (assigned servers)
- control.restart (assigned servers)
- file.read (assigned servers)
- file.write (assigned servers)
- startup.read (assigned servers)

Servers: [Manually assign TX1 servers]

Wiki.js

Group Creation:

Group: Operations Staff
Permissions:
- Read: ALL
- Write: /staff/operations/*
- Write: /staff/general/
- Admin: NONE

Group: Community Staff
Permissions:
- Read: ALL
- Write: /staff/community/*
- Write: /staff/general/
- Admin: NONE

Group: Content Staff
Permissions:
- Read: ALL
- Write: /staff/content/[subgroup]/*
- Write: /staff/general/
- Admin: NONE

Discord

Role Hierarchy (Top to Bottom):

1. Founding Partner
2. Operations Lead (future)
3. Community Lead (future)
4. Content Lead (future)
5. Senior Staff (future)
6. Game Admin
7. Moderator
8. Builder
9. Social Media
10. Support
11. Subscriber
12. @everyone

Permission Template - Moderator:

• Manage Messages
• Kick Members
• Timeout Members
• View Audit Log
• No Ban Members
• No Manage Roles
• No Manage Server

---

Fire + Frost + Foundation = Where Love Builds Legacy 💙🔥❄️

---

Document Status: COMPLETE
Next Steps: Implement in Wiki.js, Pterodactyl, Discord
Review Schedule: Monthly audits, quarterly reviews, annual assessment