When you grant a Discord member the Manage Roles permission, you may expect them to manage only roles below their own. However, many server administrators discover too late that a member with Manage Roles can edit the permissions of any role they can see, including roles above their own, if the role order is not carefully controlled. This occurs because Discord uses a role hierarchy system where a user can only manage roles that are positioned below their highest role in the server settings list. This article explains exactly how the hierarchy works, why it creates a trap, and how to configure your roles to prevent unauthorized privilege escalation.
Key Takeaways: Role Hierarchy and Manage Roles
- Server Settings > Roles > Drag to Reorder: The role at the top of the list has the highest power; a user can only manage roles below their highest role.
- Manage Roles permission unchecked for high roles: Only grant Manage Roles to roles that are positioned low in the hierarchy to limit damage if misused.
- Administrator permission bypasses all hierarchy: A user with Administrator can manage all roles regardless of position; never give Administrator to moderators.
How Discord Role Hierarchy Works
Discord uses a vertical role list in Server Settings > Roles. The role at the top of the list has the highest authority. A user inherits the highest role they have, and that role determines which other roles they can manage. A user can only manage roles that appear below their highest role in the list. This means if a user has a role that is third from the top, they can edit the permissions of roles four, five, six, and so on, but not roles one, two, or three.
The Manage Roles permission allows a user to edit the permissions of any role below their highest role. This includes the ability to give themselves or others a higher role. For example, if a moderator role is positioned below the admin role, a moderator with Manage Roles can edit the admin role’s permissions and grant themselves Administrator. This is the trap: administrators often place the moderator role above the admin role in the list, thinking it restricts moderators, but the opposite happens.
Why the Trap Exists
The trap exists because Discord does not prevent a user from editing permissions of roles above their own if those roles are positioned lower in the list. Many server owners assume that a user can only manage roles that are strictly below their own in the hierarchy. But the rule is based on the position of the role in the list, not on the role name or its permissions. If you place a role with Manage Roles at the top of the list, that user can manage every role below it, including the admin role if it is lower.
Steps to Secure Your Role Hierarchy
Follow these steps to prevent the Manage Roles trap in your Discord server.
- Open Server Settings
Click the server name at the top left of the Discord window. Select Server Settings from the drop-down menu. Then click Roles in the left sidebar. - Review the Role Order
Look at the current order of roles. The role at the top has the highest authority. The role at the bottom has the least authority. Ensure that roles with sensitive permissions like Administrator or Manage Server are at the top. Roles that grant Manage Roles should be near the bottom. - Drag Roles to Correct Positions
Click and drag each role to reorder them. Place the Administrator role at the very top. Place roles with Manage Server and Ban Members just below. Place roles with Manage Roles near the bottom, below all roles they should not be able to edit. For example, if you have a Moderator role with Manage Roles, drag it below the Admin role and below the Server Owner role. - Test the Hierarchy
Create a test account with the Moderator role. Log in and try to edit the Admin role. The test account should not be able to see or edit the Admin role if the Moderator role is below it. If it can, reorder the roles again. - Remove Manage Roles from High Roles
For any role that is high in the hierarchy, such as Admin or Co-Owner, uncheck the Manage Roles permission. Only grant Manage Roles to roles that are low in the hierarchy and that you trust not to escalate privileges.
Common Misconceptions and Mistakes
“I Gave Manage Roles to the Moderator Role, But They Can’t Edit the Admin Role”
This is correct behavior if the Moderator role is positioned below the Admin role. If the Moderator role is above the Admin role, the Moderator can edit the Admin role. Check the role order in Server Settings > Roles. Drag the Moderator role below the Admin role to prevent editing.
“I Gave Manage Roles to a User, and They Gave Themselves Administrator”
This happens when the user’s role is positioned above a role that has the Administrator permission. The user edited that role and granted themselves Administrator. To fix this, move the role with Administrator to the top of the list. Then remove Manage Roles from the user’s role. Finally, check the audit log to see what changes were made.
“The Server Owner Role Cannot Be Edited Even by Users with Manage Roles”
The Server Owner role is a special role that always sits at the top of the hierarchy regardless of its position in the list. No user, including the owner, can edit the Server Owner role. However, the owner can transfer ownership to another user. This is not a vulnerability.
Discord Role Permissions: Manage Roles vs Administrator vs Manage Server
| Permission | What It Allows | Risk Level |
|---|---|---|
| Manage Roles | Edit permissions of any role below the user’s highest role in the list | High if given to a role near the top |
| Administrator | Full access to all server settings, all roles, and all channels; bypasses all permission restrictions | Extreme; never give to anyone except the server owner |
| Manage Server | Change server name, region, icon, and moderation settings | Moderate; does not allow editing roles directly |
The Manage Roles permission is dangerous because it allows a user to edit the permissions of roles below their highest role. This includes the ability to grant themselves or others the Administrator permission. The Administrator permission bypasses all hierarchy and allows the user to do anything. The Manage Server permission does not allow editing roles, so it is safer to give to moderators.
Conclusion
The Manage Roles permission hierarchy trap occurs when a role with Manage Roles is placed above a role with higher permissions like Administrator. By keeping roles with Manage Roles low in the hierarchy and roles with Administrator at the top, you prevent privilege escalation. Always test your role order with a secondary account before assigning the permission to real users. For advanced protection, consider using Discord’s built-in audit log to monitor role changes and revoke Manage Roles from any role that does not need it.