In order to prevent malicious users from making use of Roblox's more sensitive APIs, each Lua thread has a certain identity level depending on the origin of the code's execution. This page details what identity levels exist, and the identity levels associated with Roblox's security context tags.
The specific identity of a thread can be found by calling the global printidentity function. Identities were arbitrarily chosen meaning that there is no specific hierarchy between them. For example, identity 2 has no access to anything protected while all of the other identities can use at least some protected items. The numbers themselves have no meaning, and there is no hierarchy between them theoretically (though practically, some of them do allow for more to be done than others). All threads with an identity can only use what their identity allows them to do. Threads with no identity can do anything and are unrestricted.
|Anonymous||0||Identity level of unknown origin. This level is unable to perform any actions.|
|LocalGui||1||Any action initiated by Roblox Studio or the mouse. An example would be the expression evaluator.|
|GameScript (Script/LocalScript/ModuleScript)||2||Execution of a LuaSourceContainer object inside any DataModel|
|GameScriptInRobloxPlace (Script/LocalScript/ModuleScript)||3||Execution of a LuaSourceContainer object inside any DataModel, if the place was authored by Roblox|
|RobloxGameScript (CoreScript)||4||Execution of a CoreScript object written by Roblox|
| Command line (or
||5||Execution of Lua code on Roblox Studio's command line.|
|Plugin||6||Execution of Lua code from a plugin.|
|COM (Backend Server)||7||Execution of Lua code from the backend server.|
Certain API members in Roblox are given a tag indicating what identity levels are allowed to use them.
|Context||Description||Identity levels that can use this|
(no security tags)
|Member can be used with any identity level that Roblox can identify.||1,2,3,4,5,6,7|
|RobloxPlaceSecurity||Member can be used by any identity level, but only if Roblox has marked the game as being authored by Roblox.||3,4,5,6,7|
|PluginSecurity||Member can only be used by identity levels that have security <= to plugins||4,5,6,7|
|LocalUserSecurity||Member can only be used by identity levels that have security <= to the command bar||4,5,7|
|RobloxScriptSecurity||Member can only be used by CoreScripts, or Roblox's backend server.||4,7|
|RobloxSecurity||Member can only be used by Roblox's backend server, and thus cannot be activated by users in any shape or form.||7|
|NotAccessibleSecurity||Member cannot be used in any Lua context, period. It might be changeable in Roblox Studio's property menu.||N/A|