AMX Mod X access control is a single string of lowercase letters. Each letter unlocks a category of commands, and a plugin decides which flag its command requires. This is the full a-z reference exactly as the flags are defined in AMXX, plus the role presets most servers actually use. Keep this next to your users.ini.
1. The complete flag table
| Flag | Unlocks |
|---|---|
a | Immunity — cannot be kicked, banned, slayed or slapped by other admins |
b | Reservation — can join a full server on a reserved slot |
c | amx_kick |
d | amx_ban, amx_banip, amx_unban, amx_addban |
e | amx_slay, amx_slap |
f | amx_map (change map) |
g | amx_cvar — change server cvars (not all are exposed) |
h | amx_cfg — execute config files |
i | amx_chat and other admin chat commands |
j | amx_vote and vote commands |
k | Access to the sv_password cvar (through amx_cvar) |
l | amx_rcon and rcon menu access |
m | Custom level A (for additional plugins) |
n | Custom level B |
o | Custom level C |
p | Custom level D |
q | Custom level E |
r | Custom level F |
s | Custom level G |
t | Custom level H (commonly used for VIP) |
u | Menu access (amx_menu and admin menus) |
z | User — no admin access at all |
There is no v, w, x or y in the standard set. The custom levels m-t are yours: a plugin author picks one and documents it, which is how VIP systems (see building a VIP plugin) attach to flag t.
2. How a flag becomes a command
When a plugin registers a command it names the required flag:
register_concmd("amx_kick", "cmd_kick", ADMIN_KICK) // ADMIN_KICK == flag c
The constants map one to one: ADMIN_IMMUNITY = a, ADMIN_RESERVATION = b, ADMIN_KICK = c, ADMIN_BAN = d, ADMIN_SLAY = e, ADMIN_MAP = f, ADMIN_CVAR = g, up through ADMIN_LEVEL_A-H (m-t), ADMIN_MENU = u and ADMIN_USER = z. So the flags you grant in users.ini line up exactly with the constants plugin authors use.
At runtime a plugin reads a player's flags as a bitmask and tests the one it cares about:
if (get_user_flags(id) & ADMIN_BAN) {
// player has flag d
}
This is why flags stack freely — cdef is just four bits set at once. It is also why a plugin author can convert a string to a mask with read_flags("t") and store it, the approach used when a plugin exposes its own _access cvar so admins can rebind which flag a command needs.
3. Reading and rebinding a command's flag
Well-written plugins do not hard-code the flag; they expose a cvar, so you can change the requirement without recompiling. For example a plugin might register amx_slay against a cvar defaulting to e. Check a plugin's .cfg or its documented cvars before assuming a command's flag — two servers can require different flags for the same command name. When in doubt, the AMXX console command amx_help lists the commands available to you given your current flags, which is the quickest way to see the effective mapping on a live server.
4. Practical role presets
- Full admin / owner:
abcdefghijklmnopqrstu— everything exceptz. - Head admin (no rcon):
abcdefgijkmnopqrstu— droplso they cannot run raw rcon. - Moderator:
cdefiju— kick, ban, slay/slap, chat, vote, menu. No immunity, no cvars. - Trial mod:
ceu— kick and slay/slap through the menu only. - VIP:
bt— reserved slot plus custom level H, no admin commands. - Reserved slot only:
b.
Give a (immunity) sparingly. An immune troublemaker cannot be removed by your other admins, only by someone with console/rcon.
Common errors
- Granting
zand expecting admin power —zis explicitly "no access". It is used to register a user without privileges, not to grant them. - Forgetting
u— an admin with kick/ban flags but noucannot openamx_menu; they must type commands in console. Addufor anyone who should use the menu. - Confusing flag
lwith rcon_password — flaglgrantsamx_rcon(send commands through AMXX). It is not the enginercon_password; see RCON setup. - Custom-level collision — two plugins both claiming flag
twill both react to it. Check each plugin's docs before reusingm-t. - Immunity abused — a moderator with
acannot be disciplined by peers. Reserveafor trusted senior staff.
Verification
Assign a preset in users.ini, run amx_reloadadmins, reconnect, and check amx_who — it lists each online player with their resolved flag string. Then test one command from the granted set and one from a set you deliberately withheld: the withheld command should answer You have no access to that command. That negative test is what proves the flags are doing their job. For placing these flags correctly, return to users.ini explained.









