User Roles & Permissions Guide
Overview
The system has six user roles, each with different permission levels. Think of it as a video game tier list, but for business operations. ๐ฎ
Role Hierarchy
๐ฆธโโ๏ธ Super Administrator
"God Mode Activated"
Full system access. Can do literally everything.
Key Permissions:
- All administrative functions
- Global settings configuration
- License management
- User management (create, update)
- Organization details
- Email & banking settings
- File & PDF imports
- Department management
- Document creation & updates
Use Case: System owner, IT director, or that one person who knows where all the bodies are buried.
๐ Administrator
"Almost Everything Except the Nuclear Codes"
Company-level admin with near-complete access. Currently identical to SuperAdmin (you might want to revisit this).
Key Permissions:
- Same as SuperAdministrator
- Access to all operational and administrative functions
Use Case: Senior management, operations director, trusted lieutenant.
โ ๏ธ Note: The comments suggest CanAccessGlobalSettings and CanUpdateLicense should probably be SuperAdmin-only. Worth reviewing.
๐ช Super User
"Power User with Training Wheels Off"
Can handle most day-to-day operations but can't mess with the company structure or users.
Key Permissions:
- โ Document management (create, update)
- โ File & PDF imports
- โ Department management
- โ Admin menu access
- โ Organization settings
- โ User management
- โ Financial settings
- โ License updates
Use Case: Team lead, operations manager, power user who gets stuff done.
โก Power User
"Operational Access, Hold the Danger"
More limited than SuperUser. Can manage departments but not much else.
Key Permissions:
- โ Department management
- โ Admin menu access
- โ Everything else
Use Case: Department head, mid-level manager, someone who needs organizational visibility but limited editing rights.
๐ค Base User
"Standard Issue Employee"
Basic operational access. Can use the system but can't change anything structural.
Key Permissions:
- โ All administrative functions disabled
- Can view and use standard features (implied)
Use Case: Regular employees, data entry staff, most of your workforce.
๐ Read-only User
"Look But Don't Touch"
View-only access. The digital equivalent of a museum visitor.
Key Permissions:
- โ Everything is disabled
- โ IsReadOnly flag enabled
Use Case: Auditors, consultants, stakeholders, interns, or anyone who needs to see data but shouldn't change anything.
Quick Reference Matrix
Best Practices
- Start Restrictive: Assign the minimum role needed. You can always promote users later.
- Regular Audits: Review user roles quarterly. That intern from 2019 probably doesn't need SuperAdmin anymore.
- Separation of Duties: Keep financial and user management permissions limited to trusted admins.
- Document Changes: Log role changes, especially escalations to Admin/SuperAdmin.
Notes for Developers
- Admin vs SuperAdmin: Currently identical. Consider restricting
CanAccessGlobalSettingsandCanUpdateLicenseto SuperAdmin only. - Money = Admin Territory: Financial permissions deliberately restricted to admin roles.
- BaseUser: Currently has no explicit permissions. Define what they can do in your application logic.