Roles

Roles are a key part of our system's access control mechanism. They allow administrators to define sets of permissions that can be assigned to users, making it easier to manage who can do what within the application. Instead of assigning individual permissions to each user, administrators can create roles with specific permission sets and then assign those roles to users.

A role is a named collection of permissions that defines what actions a user can perform in the system. Roles can be:

• System-defined: These are created automatically by the system (like "admin") and provide a baseline of functionality.
• Custom: Created by administrators to meet specific organizational needs.
• Default: Roles can be marked as default, meaning they are automatically assigned to new users.

Permissions are individual access rights that allow users to perform specific actions in the system. They are grouped into three types:

• Common: Basic permissions available across the entire system
• Client: Permissions specific to client accounts
• Supplier: Permissions specific to supplier accounts

User accounts represent a user's presence within a specific organization (client or supplier). A single user can have multiple user accounts if they belong to multiple organizations. Each user account can have:

• Multiple roles
• Direct permissions (assigned specifically to that user account)

User groups allow administrators to organize users into logical collections. Groups can have:

• Multiple user accounts as members
• Roles and permissions assigned to them

When a user is added to a group, they inherit all the roles and permissions assigned to that group.

Roles can be assigned to:

1. Individual user accounts: Giving specific users access to certain functions
2. User groups: Allowing administrators to manage permissions for multiple users at once

When a new client is created in the system, an "admin" role is automatically created for that client with all common and client-specific permissions. This role is marked as the default role, meaning it will be automatically assigned to the first user account created for that client.

Users receive permissions through:

1. Direct assignment: Permissions assigned directly to their user account
2. Role assignment: Permissions that come from roles assigned to their user account
3. Group membership: Permissions and roles inherited from any groups they belong to

Administrators can create new roles by:

1. Providing a name for the role
2. Selecting which permissions to include
3. Optionally marking the role as a default role
4. Associating the role with a specific team (client or supplier)

Existing roles can be modified to:

1. Change the role name
2. Add or remove permissions
3. Change the default status

Roles that are no longer needed can be deleted from the system. However, this should be done with caution as it may affect users who have that role assigned.

1. Use descriptive names: Give roles clear, descriptive names that indicate their purpose (e.g., "Content Editor" rather than "Role 1").

2. Follow the principle of least privilege: Assign only the permissions necessary for users to perform their job functions.

3. Regularly review roles: Periodically review role assignments and permissions to ensure they remain appropriate.

4. Use user groups: For organizations with many users, use user groups to simplify permission management.

5. Document custom roles: Keep documentation of what each custom role is intended to do and what permissions it includes.

When a new user joins an organization:

1. Create a user account for them within the organization
2. Assign appropriate roles based on their job function
3. Add them to relevant user groups if applicable

When a user's responsibilities change:

1. Review their current role assignments
2. Add or remove roles as needed
3. Consider moving them to different user groups if applicable

For users who need specialized access:

1. Determine if existing roles meet their needs
2. If not, consider creating a new role with the specific permissions required
3. Assign the new role to the appropriate users

1. Regular audits: Regularly audit role assignments to ensure users have appropriate access.
2. Role separation: Maintain separation of duties by creating roles that don't combine sensitive permissions.
3. Default role caution: Be careful when marking roles as default, as they will be automatically assigned to new users.