# Operators, Admins & TCP Console on Schedule 1 (/docs/schedule-1/operators-admins)
import { Callout } from 'fumadocs-ui/components/callout';
import { Step, Steps } from 'fumadocs-ui/components/steps';
The S1 DedicatedServerMod has a real permission system. Five built-in groups, dotted-permission nodes with wildcard support, temporary grants, and a `permissions.toml` file that controls all of it.
Authoritative reference: [docs.s1servers.com/configuration/permissions](https://docs.s1servers.com/).
***
Built-in groups [#built-in-groups]
The mod ships with a five-tier group hierarchy. Each one inherits from the one below.
| Group | Inherits from | Adds |
| --------------- | --------------- | ------------------------------------------- |
| `default` | — | Basic read-only access (e.g. `server.help`) |
| `support` | `default` | `server.info` |
| `moderator` | `support` | Player moderation (kick, ban, unban) |
| `administrator` | `moderator` | Server maintenance (save, reload config) |
| `operator` | `administrator` | Remote console access (TCP console) |
The legacy `op` / `deop` / `admin` / `deadmin` commands are compatibility wrappers — they manage membership in these built-in groups so you don't have to hand-edit `permissions.toml` for routine admin changes.
***
permissions.toml structure [#permissionstoml-structure]
```toml
[metadata]
schemaVersion = 1
migrationVersion = 1
[group.default]
priority = 0
allow = ['server.help']
deny = []
[group.moderator]
priority = 20
inherits = ['support']
allow = ['player.kick', 'player.ban']
[user.76561198000000000]
groups = ['operator']
allow = ['console.command.cleartrash'] # Direct grant on top of group rights
deny = []
[tempgroup.weekend-mod-1]
subjectId = '76561198111111111'
group = 'moderator'
expiresAt = '2026-05-20T00:00:00Z'
[tempallow.early-tester]
subjectId = '76561198222222222'
allow = ['console.command.cleartrash']
expiresAt = '2026-06-01T00:00:00Z'
[ban.76561198987654321]
subjectId = '76561198987654321'
reason = 'griefing'
```
The blocks:
| Block | Use |
| -------------------------------------- | ------------------------------------------------------------- |
| `[metadata]` | Schema + migration version tracking |
| `[group.]` | Define a group with priority, inheritance, allow / deny rules |
| `[user.]` | Assign a user to groups + direct allow / deny |
| `[tempgroup.]` | Time-limited group membership |
| `[tempallow.]` / `[tempdeny.]` | Time-limited direct permission grants |
| `[ban.]` | Ban entries with reason |
***
Permission nodes [#permission-nodes]
Dotted names, with `*` as a wildcard:
* `console.open` — connect to the TCP console
* `console.command.` — run a specific console command (e.g. `console.command.kick`)
* `console.command.*` — run any console command
* `player.kick`, `player.ban`, `player.unban` — moderation actions
* `server.save`, `server.reloadconfig`, `server.reloadpermissions` — server maintenance
* `*` — root grant (use sparingly)
Permission checks combine: group rights + direct user grants − direct user denies. Bans are evaluated first and reject the connection outright.
***
Add yourself as an operator (first-time setup) [#add-yourself-as-an-operator-first-time-setup]
Find your SteamID64. Use [steamid.io](https://steamid.io/) — paste your profile URL, copy the 17-digit `7656...` value.
Stop the server from the panel **Dashboard**.
Open **File Manager** → edit `permissions.toml`.
Add yourself:
```toml
[user.76561198000000000]
groups = ['operator']
allow = []
deny = []
```
Save and start the server. Verify by opening the **Console** tab and running `serverinfo` — operator-only output should appear.
If you'd rather not edit TOML directly, after first launching the server you can use the compatibility commands from the **Console** tab:
```
op 76561198000000000
```
That grants the operator group via the wrapper command — the mod writes the change back to `permissions.toml` for you.
***
Add moderators with limited rights [#add-moderators-with-limited-rights]
```toml
[user.76561198111111111]
groups = ['moderator'] # Can kick / ban, no server-maintenance access
[user.76561198222222222]
groups = ['support'] # Can read serverinfo, can't kick
```
Or, for a one-line custom setup that doesn't fit the built-ins:
```toml
[group.helper]
priority = 15
inherits = ['support']
allow = ['player.kick']
[user.76561198333333333]
groups = ['helper']
```
This `helper` group gets server.info from `support` + the explicit `player.kick`.
***
TCP console (RCON-style remote admin) [#tcp-console-rcon-style-remote-admin]
The mod ships a **TCP console** — a socket-based remote admin transport, equivalent to RCON in other games.
Configuration [#configuration]
In `server_config.toml`:
```toml
[tcpConsole]
stdioConsoleMode = 'Auto'
tcpConsoleBindAddress = '127.0.0.1'
tcpConsolePort = 4050
```
| Field | Default | Note |
| ----------------------- | ------------- | -------------------------------------------------------------------------- |
| `stdioConsoleMode` | `'Auto'` | Whether stdin can also pump commands into the server (used by some panels) |
| `tcpConsoleBindAddress` | `'127.0.0.1'` | Bind address. **Keep on localhost** unless you have a strong reason. |
| `tcpConsolePort` | `4050` | TCP port |
Connecting from outside the host [#connecting-from-outside-the-host]
The TCP console binds to localhost by default. To reach it from your local machine, tunnel over SSH using your **SFTP Details** from the panel:
```bash
ssh -L 4050:127.0.0.1:4050 @ -p
```
Then connect any TCP / line-based admin tool (Netcat, raw TCP client) to `localhost:4050`.
If you expose the TCP console beyond localhost (`tcpConsoleBindAddress = '0.0.0.0'`), the upstream docs warn: *"require a password and treat it as a trusted admin surface, not a public service."* The exact password mechanism in this build is documented at [docs.s1servers.com/host-console](https://docs.s1servers.com/) — check there before exposing.
Commands you can run remotely [#commands-you-can-run-remotely]
The TCP console accepts the same commands as the in-panel **Console** tab. See [Commands Reference](/docs/schedule-1/commands-reference) for the full list.
***
Ban a player [#ban-a-player]
Edit `permissions.toml`:
```toml
[ban.76561198987654321]
subjectId = '76561198987654321'
reason = 'griefing'
```
Or use the wrapper:
```
ban [reason]
```
from the **Console** tab. The mod will write the entry into `permissions.toml`.
To unban:
```
unban
```
***
Temporary grants [#temporary-grants]
For weekend events, beta-tester access, or trial moderators, use the temp-\* blocks:
```toml
[tempgroup.weekend-event]
subjectId = '76561198000000000'
group = 'moderator'
expiresAt = '2026-05-20T00:00:00Z'
```
After `expiresAt`, the grant is gone — no manual cleanup needed.
***
Reloading after edits [#reloading-after-edits]
After editing `permissions.toml`, from the **Console** tab:
```
reloadpermissions
```
No restart needed — group / user / ban changes apply on the fly.
***
Related Guides [#related-guides]
* [Commands Reference →](/docs/schedule-1/commands-reference)
* [Server Config Reference →](/docs/schedule-1/server-config)
* [Web Panel →](/docs/schedule-1/web-panel)
* [Client Mod Verification →](/docs/schedule-1/client-mod-verification)