---
summary: ScaiEcho module permissions and which roles get them by default.
title: Permissions
path: reference/permissions
status: published
---

ScaiEcho defines four module-permission keys, mapped onto ScaiGrid's RBAC system. Every endpoint enforces one of them. Biometric capture (speaker enrollment) is deliberately gated separately from generic transcribe access.

## Permission keys

| Key | What it grants |
|---|---|
| `scaiecho:transcribe` | Call batch and streaming STT endpoints, poll async jobs, open WebSocket and WebRTC sessions. |
| `scaiecho:diarize` | Request speaker-attributed transcripts. Checked at WS open / WebRTC session create when `diarize=true`. |
| `scaiecho:enroll` | List, read, enroll, update, delete speaker profiles. Biometric data — requires explicit consent capture. |
| `scaiecho:admin` | Read and update tenant backend policy (allowed backends, default backend). |

## Default role mapping

Built-in roles auto-grant these via ScaiGrid's catch-all in `CurrentUser.has_module_permission`:

| Role | Auto-grants |
|---|---|
| `super_admin` | All of the above. |
| `partner_admin` | All of the above for tenants under the partner. |
| `tenant_admin` | All of the above for the tenant. |
| `tenant_user` | None by default — explicit opt-in. |
| `tenant_viewer` | `scaiecho:transcribe` only. |

`tenant_user` gets nothing automatically because transcription affects accounting and enrollment is biometric. Both want explicit opt-in via a custom role.

## Granting selectively

A typical custom role for engineers who run pipelines:

```bash
curl -X POST "$SCAIGRID_HOST/v1/iam/custom-roles" \
  -H "Authorization: Bearer $SCAIGRID_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Transcription users",
    "module_permissions": ["scaiecho:transcribe", "scaiecho:diarize"]
  }'
```

A separate "Speaker custodians" role with `scaiecho:enroll` is usually held by very few people — they're the ones legally responsible for the consent records.

## Audit

Every permission-gated call is logged with `actor_user_id`, `action`, `resource_id`. ScaiGrid's audit log query supports filtering by `module = "scaiecho"`. Speaker deletions additionally write an immutable `ErasureAudit` row that survives the speaker tombstone.