• RESTART (the right to restart a Fragment, server or network)
• REVOKE (the right to remove any access rights)
• GRANT (the right to grant other users rights from the set that oneself has, including GRANT, and to remove access rights from users without GRANT)
• EVICT (the right to kick or ban a user)
• MOLD (the right to reshape the landscape)
• GLOBAL (the right to send Fragment-global messages)
• ROLE (the right to swap places with a Puppet with a predefined role)
• QUARANTINE (the right to create a quarantine zone)
• RELOCATE (the right to remotely teleport another user)
• FMORPH (the right to bypass avatar restrictions)
• WRITE (the right to write or re-write metadata in the Fragment)
• FREAD (the right to access all metadata in the Fragment - even metadata flagged as incomplete or Fragment-private)
• HOP (the right to teleport throughout the Fragment)
• MORPH (the right to change one's avatar in accordance with avatar restrictions)
• READ (the right to access regular metadata)

Guest / User:

• HOP
• MORPH
• READ

Guide:

• all guest/user access rights
• ROLE
• RELOCATE
• FMORPH
• FREAD

Gamemaster:

• all guide access rights
• WRITE

Moderator:

• all gamemaster access rights
• EVICT

Admin:

• all moderator access rights
• QUARANTINE
• GRANT
• MOLD
• GLOBAL

Founder:

• all admin access rights
• REVOKE
• RESTART (democratic; requires all founders to agree)

Actual user authentication (i.e. determining the identity of a user) varies strongly between servers. Sanctuary (re)identifies users on connection to a Fragment using their hostmask and an automated challenge-response handshake the user needs access to their private key for - and maintains a session for the time the user remains in the Fragment. This is true for Denizens (which are expected to have a localhost hostmask) as well as Citizens. Autonomous Puppets are free to move between Fragments, but foreign autonomous Puppets are authenticated on connection with Sanctuary as a whole.