Skip to main content
Properly configuring security and access levels is critical for protecting your server and ensuring administrators have appropriate permissions.

Access Levels Overview

Access levels control what commands and abilities each administrator tier can use. They are configured in: 
dist/game/config/AccessLevels.xml

Access Level Structure

Each access level defines:
  • Level: Numeric identifier (-1 to 100)
  • Name: Descriptive role name
  • Name Color: Character name color in hex
  • Title Color: Character title color in hex
  • Child Access: Inherited permissions from lower level
  • Permissions: Specific capabilities (isGM, allowPeaceAttack, etc.)
Source: dist/game/config/AccessLevels.xml:2

Default Access Levels

Purpose: Punished/banned accountsPermissions:
  • Name Color: FFFFFF (white)
  • Title Color: ECF9A2 (light yellow)
  • isGM: false
  • allowPeaceAttack: false
  • allowTransaction: false
  • giveDamage: false
  • takeAggro: false
  • gainExp: false
Banned users cannot perform any game actions.
Purpose: Regular playersPermissions:
  • Name Color: FFFFFF (white)
  • Title Color: ECF9A2 (light yellow)
  • isGM: false
  • allowTransaction: true
  • giveDamage: true
  • takeAggro: true
  • gainExp: true
Standard player account with full gameplay capabilities.
Purpose: Moderation of chat/social featuresPermissions:
  • Inherits from: User (level 0)
  • Name Color: FFFFFF (white)
  • Limited administrative powers
  • Can moderate chat but not modify game state
Suitable for community moderators who don’t need full GM powers.
Purpose: Testing and developmentPermissions:
  • Inherits from: Chat Moderator (level 10)
  • Name Color: FFFFFF (white)
  • allowFixedRes: true
  • allowAltg: true (Alt+G command)
  • giveDamage: false
  • gainExp: false
For QA and testing without affecting game balance.
Purpose: Standard game masterPermissions:
  • Inherits from: Test GM (level 20)
  • Name Color: 0000C0 (blue)
  • Title Color: 0000C0 (blue)
  • Standard GM capabilities
  • Cannot trade or gain experience
Most common GM tier for player support.
Purpose: Player support and assistancePermissions:
  • Inherits from: General GM (level 30)
  • Name Color: 000C00 (dark green)
  • Title Color: 000C00 (dark green)
  • Enhanced support capabilities
For dedicated customer support staff.
Purpose: Event management and coordinationPermissions:
  • Inherits from: Support GM (level 40)
  • Name Color: 00C000 (green)
  • Title Color: 00C000 (green)
  • Event-specific powers
For GMs who run server events and activities.
Purpose: Senior administratorPermissions:
  • Inherits from: Event GM (level 50)
  • Name Color: 0C0000 (dark red)
  • Title Color: 0C0000 (dark red)
  • allowTransaction: true
  • giveDamage: true
  • takeAggro: true
  • gainExp: true
Senior GM with near-full capabilities.
Purpose: Full server administratorPermissions:
  • Inherits from: Head GM (level 60)
  • Name Color: 0FF000 (bright green)
  • Title Color: 0FF000 (bright green)
  • isGM: true
  • allowPeaceAttack: true
  • Full administrative access
Complete server control except master commands.
Purpose: Server owner/master administratorPermissions:
  • Inherits from: Admin (level 70)
  • Name Color: 00CCFF (cyan)
  • Title Color: 00CCFF (cyan)
  • isGM: true
  • Unrestricted access to all commands
Only assign to trusted server owners/developers.

Permission Flags

Core Permissions

isGM

Identifies user as game master. Required for most admin commands.

allowPeaceAttack

Allows attacking in peace zones and non-PvP areas.

allowFixedRes

Enables fixed resurrection (no penalties).

allowTransaction

Permits trading and economic transactions.

allowAltg

Grants access to Alt+G admin panel.

giveDamage

Ability to deal damage to other entities.

takeAggro

Whether NPCs can aggro this character.

gainExp

Whether character gains experience points.

Admin Command Permissions

Commands are restricted by access level in: 
dist/game/config/AdminCommands.xml

Command Access Control

Each command specifies minimum required access level: 
<command name="admin_server_shutdown" accessLevel="100" />
<command name="admin_teleport" accessLevel="30" />
<command name="admin_kick" accessLevel="40" />
Customize command access levels to match your server’s security policy.

GM List Visibility

GM List Management

Control whether GMs appear in the /gmlist command: 
//gmliston   # Add to GM list (visible)
//gmlistoff  # Remove from GM list (hidden)
Source: handlers/admincommandhandlers/AdminAdmin.java:55 
AdminData.getInstance().addGm(activeChar, false);  // Add to list
AdminData.getInstance().addGm(activeChar, true);   // Remove from list
Use cases:
  • gmliston: GM assistance mode (players can see you)
  • gmlistoff: Invisible monitoring mode

Punishment System

Punishment Types

The server supports multiple punishment mechanisms:
Prevents specific character from logging in.Command: //ban_char <character_name>Affect: Single character onlySource: handlers/admincommandhandlers/AdminPunishment.java:369
Blocks entire account from accessing server.Command: //ban_acc <account_name>Affect: All characters on accountSource: handlers/admincommandhandlers/AdminPunishment.java:385
Blocks all connections from IP address.Protection: Validates against localhost and server IP
if (addr.isLoopbackAddress()) {
    throw new UnknownHostException("You cannot ban any local address!");
}
Source: handlers/admincommandhandlers/AdminPunishment.java:293
Hardware-based ban (bypasses IP changes).Command: //ban_hwid <hardware_id>Source: handlers/admincommandhandlers/AdminPunishment.java:401
Restricts chat without blocking gameplay.Command: //ban_chat <player_name>Source: handlers/admincommandhandlers/AdminPunishment.java:417
Imprisons character in jail zone.Command: //jail <player_name>Source: handlers/admincommandhandlers/AdminPunishment.java:433

Punishment Expiration

Punishments can be temporary or permanent: 
//punishment_add <key> <affect> <type> <minutes> <reason>
Parameters:
  • key: Username, character name, IP, or HWID
  • affect: ACCOUNT, CHARACTER, IP, or HWID
  • type: BAN, CHAT_BAN, or JAIL
  • minutes: Duration (-1 for permanent)
  • reason: Explanation text
Example: 
//punishment_add PlayerName CHARACTER CHAT_BAN 60 Spamming
Source: handlers/admincommandhandlers/AdminPunishment.java:222

Security Best Practices

Critical Security Guidelines
  1. Minimize Master Access: Only 1-2 trusted individuals should have level 100
  2. Audit Logs: Regularly review GM action logs in dist/game/log/audit.log
  3. Access Review: Periodically review all GM accounts and remove inactive ones
  4. Strong Passwords: Enforce strong password policies for admin accounts
  5. IP Whitelist: Consider IP restrictions for high-level admin access

GM Action Auditing

All administrative actions are logged: 
GMAudit.logAction(activeChar.getName() + " [" + activeChar.getObjectId() + "]",
                  cmd, affect.name(), name);
Logged information:
  • GM character name and object ID
  • Command executed
  • Target player/entity
  • Timestamp
Source: handlers/admincommandhandlers/AdminPunishment.java:320

Protecting Server IP

The punishment system prevents banning the server’s own IP: 
if (ServerConfig.GAME_SERVER_HOSTS.contains(addr.getHostAddress())) {
    throw new UnknownHostException("You cannot ban your gameserver's address!");
}
Source: handlers/admincommandhandlers/AdminPunishment.java:298

Database Security

Access Level Storage

Access levels are stored in the database: Table: characters Column: accesslevel

Changing Access Levels

In-game command: 
//changeaccesslevel <player_name> <level>
Direct database update: 
UPDATE characters SET accesslevel = 70 WHERE char_name = 'AdminName';
Always restart the character or use //character_reload after database changes.

Flood Protection

Protect against command spam in dist/game/config/FloodProtector.ini: 
# Admin command flood protection
AdminCommandFloodProtector = True
AdminCommandInterval = 100
AdminCommandMaxAttempts = 10

Network Security

Connection Limits

Configure in dist/game/config/Network.ini: 
# Maximum connections per IP
MaximumConnectionsPerIP = 5

# Enable packet encryption
EnablePacketEncryption = True

DDoS Protection

Implement at infrastructure level:
  • Use a firewall (iptables, UFW)
  • Consider DDoS protection service
  • Rate-limit incoming connections
  • Monitor for unusual traffic patterns

Configuration Files Security

File Permissions

Restrict access to configuration files: 
chmod 600 dist/game/config/Database.ini
chmod 600 dist/game/config/AccessLevels.xml
chown gameserver:gameserver dist/game/config/*

Sensitive Data

Never commit these files to public repositories:
  • Database.ini (contains DB credentials)
  • Network.ini (contains encryption keys)
  • AccessLevels.xml (security configuration)

Admin Commands

Complete command reference

Monitoring

Audit logs and monitoring

Troubleshooting

Security-related issues

Build docs developers (and LLMs) love

Get started for freeTalk to us