Permissions and Roles: Difference between revisions
Created Page |
No edit summary |
||
| Line 99: | Line 99: | ||
* ✅ IsReadOnly flag enabled | * ✅ IsReadOnly flag enabled | ||
'''Use Case:''' Auditors, consultants, stakeholders, interns, or anyone who needs to see data but shouldn't change anything. | '''Use Case:''' Auditors, consultants, stakeholders, interns, or anyone who needs to see data but | ||
shouldn't change anything. | |||
---- | |||
== Quick Reference Matrix == | |||
---- | |||
== Best Practices == | |||
# '''Start Restrictive:''' Assign the minimum role needed. You can always promote users later. | |||
# '''Regular Audits:''' Review user roles quarterly. That intern from 2019 probably doesn't need SuperAdmin anymore. | |||
# '''Separation of Duties:''' Keep financial and user management permissions limited to trusted admins. | |||
# '''Document Changes:''' Log role changes, especially escalations to Admin/SuperAdmin. | |||
---- | |||
== Notes for Developers == | |||
* '''Admin vs SuperAdmin:''' Currently identical. Consider restricting <code>CanAccessGlobalSettings</code> and <code>CanUpdateLicense</code> to SuperAdmin only. | |||
* '''Money = Admin Territory:''' Financial permissions deliberately restricted to admin roles. | |||
* '''BaseUser:''' Currently has no explicit permissions. Define what they ''can'' do in your application logic. | |||
Revision as of 01:25, 30 September 2025
User Roles & Permissions Guide
Overview
The system has six user roles, each with different permission levels. Think of it as a video game tier list, but for business operations. 🎮
Role Hierarchy
🦸♂️ Super Administrator
"God Mode Activated"
Full system access. Can do literally everything.
Key Permissions:
- All administrative functions
- Global settings configuration
- License management
- User management (create, update)
- Organization details
- Email & banking settings
- File & PDF imports
- Department management
- Document creation & updates
Use Case: System owner, IT director, or that one person who knows where all the bodies are buried.
👑 Administrator
"Almost Everything Except the Nuclear Codes"
Company-level admin with near-complete access. Currently identical to SuperAdmin (you might want to revisit this).
Key Permissions:
- Same as SuperAdministrator
- Access to all operational and administrative functions
Use Case: Senior management, operations director, trusted lieutenant.
⚠️ Note: The comments suggest CanAccessGlobalSettings and CanUpdateLicense should probably be SuperAdmin-only. Worth reviewing.
💪 Super User
"Power User with Training Wheels Off"
Can handle most day-to-day operations but can't mess with the company structure or users.
Key Permissions:
- ✅ Document management (create, update)
- ✅ File & PDF imports
- ✅ Department management
- ✅ Admin menu access
- ❌ Organization settings
- ❌ User management
- ❌ Financial settings
- ❌ License updates
Use Case: Team lead, operations manager, power user who gets stuff done.
⚡ Power User
"Operational Access, Hold the Danger"
More limited than SuperUser. Can manage departments but not much else.
Key Permissions:
- ✅ Department management
- ✅ Admin menu access
- ❌ Everything else
Use Case: Department head, mid-level manager, someone who needs organizational visibility but limited editing rights.
👤 Base User
"Standard Issue Employee"
Basic operational access. Can use the system but can't change anything structural.
Key Permissions:
- ❌ All administrative functions disabled
- Can view and use standard features (implied)
Use Case: Regular employees, data entry staff, most of your workforce.
👀 Read-only User
"Look But Don't Touch"
View-only access. The digital equivalent of a museum visitor.
Key Permissions:
- ❌ Everything is disabled
- ✅ IsReadOnly flag enabled
Use Case: Auditors, consultants, stakeholders, interns, or anyone who needs to see data but shouldn't change anything.
Quick Reference Matrix
Best Practices
- Start Restrictive: Assign the minimum role needed. You can always promote users later.
- Regular Audits: Review user roles quarterly. That intern from 2019 probably doesn't need SuperAdmin anymore.
- Separation of Duties: Keep financial and user management permissions limited to trusted admins.
- Document Changes: Log role changes, especially escalations to Admin/SuperAdmin.
Notes for Developers
- Admin vs SuperAdmin: Currently identical. Consider restricting
CanAccessGlobalSettingsandCanUpdateLicenseto SuperAdmin only. - Money = Admin Territory: Financial permissions deliberately restricted to admin roles.
- BaseUser: Currently has no explicit permissions. Define what they can do in your application logic.