Roles and Permissions

This page outlines all roles, modifiers, and permissions across the Orion Finance protocol smart contracts.

Vault-Level Roles

Manager

The manager is responsible for the vault. The manager address is set during vault creation.

Strategist

The strategist is responsible for submitting portfolio allocation intents. The strategist can be either:

A wallet address (active management);
A smart contract implementing IOrionStrategist (passive management).

User

A User is any address that can interact with vaults to deposit assets, redeem shares, and manage their deposit/redemption requests. User access can be configured as either permissionless or permissioned based on the vault's access control settings via the specific IOrionAccessControl implementation.

Protocol-Level Roles

Admin

The admin is the same entity that owns all protocol-level contracts: OrionConfig, InternalStateOrchestrator, LiquidityOrchestrator, TransparentVaultFactory, and PriceAdapterRegistry.

Security Implementation: The admin role is implemented as a multi-signature Gnosis Safe wallet. Signers follow robust security practices and multiple approvals are required for administrative actions.

Guardian

A designated address with limited emergency and operational permissions.

Automation Registry

The Automation Registry is an off-chain service responsible for driving the protocol's epoch-based rebalancing cycle. This external service monitors the orchestrators via the checkUpkeep() function and automatically executes upkeep when conditions are met.

Permission Matrix

Vault-Level Functions

Function	Manager	Strategist	User
`updateFeeModel`	Yes	No	No
`claimVaultFees`	Yes	No	No
`setDepositAccessControl`	Yes	No	No
`updateStrategist`	Yes	No	No
`updateVaultWhitelist`	Yes	No	No
`createVault`	Yes	No	No
`submitIntent`	No*	Yes	No
`requestDeposit`	Yes	Yes	Yes
`cancelDepositRequest`	Yes	Yes	Yes
`requestRedeem`	Yes	Yes	Yes
`cancelRedeemRequest`	Yes	Yes	Yes
`redeem`	Yes	Yes	Yes

Note: A manager can set themselves as the strategist of a vault using updateStrategist, which would allow them to submit intents.

Protocol-Level Functions

Function	Admin	Guardian	Automation Registry
`setInternalStateOrchestrator`	Yes	No	No
`setLiquidityOrchestrator`	Yes	No	No
`setVaultFactory`	Yes	No	No
`setPriceAdapterRegistry`	Yes	No	No
`setProtocolRiskFreeRate`	Yes	No	No
`setMinDepositAmount`	Yes	Yes	No
`setMinRedeemAmount`	Yes	Yes	No
`setFeeChangeCooldownDuration`	Yes	No	No
`setMaxFulfillBatchSize`	Yes	Yes	No
`setGuardian`	Yes	No	No
`pauseAll`	Yes	Yes	No
`unpauseAll`	Yes	No	No
`addWhitelistedAsset`	Yes	No	No
`removeWhitelistedAsset`	Yes	No	No
`addWhitelistedManager`	Yes	Yes	No
`removeWhitelistedManager`	Yes	No	No
`removeOrionVault`	Yes	No	No
`updateAutomationRegistry`	Yes	No	No
`updateEpochDuration`	Yes	Yes	No
`updateMinibatchSize`	Yes	Yes	No
`updateProtocolFees`	Yes	No	No
`setTargetBufferRatio`	Yes	No	No
`withdrawLiquidity`	Yes	No	No
`claimProtocolFees`	Yes	No	No
`performUpkeep`	No	No	Yes

Vault-Level Roles​

Manager​

Strategist​

User​

Protocol-Level Roles​

Admin​

Guardian​

Automation Registry​

Permission Matrix​

Vault-Level Functions​

Protocol-Level Functions​

Related Pages​