Firestore Security Rules
Security rules are defined in firestore.rules at the repository root.
Deploy commands
# Rules only
firebase deploy --only firestore:rules
# Rules + indexes
firebase deploy --only firestore:rules,firestore:indexes
Key rule functions
| Function | Description |
|---|---|
isSignedIn() | User is authenticated |
isSuperAdmin() | User document has super_admin role |
canManageSettings() | Super Admin only — settings writes |
isUserManager() | super_admin, admin, or it_manager |
isOwnUserDoc(userId) | User editing their own profile |
Collection access summary
| Collection | Read | Write |
|---|---|---|
users | Signed in | Self or user manager |
assets | Signed in | Signed in |
assetRequests | Signed in | Signed in |
departments, locations, organizations | Signed in | Signed in |
siteMapNodes | Signed in | Signed in |
settings/rolePermissions | Signed in | Super Admin |
settings/mapDesigner | Signed in | Super Admin |
settings/auth, settings/security | Public read | Super Admin write |
auditLogs | Signed in | Signed in |
Production hardening
The default rules allow broad write access for authenticated users on operational collections. For production:
- Tighten
assetsandassetRequestswrites by role - Use custom claims or Firestore role checks matching the permission matrix
- Enable Firebase App Check
Role permissions document
Path: settings/rolePermissions
{
"rolePermissions": {
"admin": ["assets.read", "assets.write", "..."],
"it_manager": ["..."],
"finance": ["..."],
"read_only_user": ["..."],
"user": ["..."]
},
"updatedAt": "<timestamp>",
"updatedBy": "<uid>"
}
Must deploy rules including match /settings/rolePermissions before the permission matrix save works.
Indexes
Composite indexes are in firestore.indexes.json. Deploy with:
firebase deploy --only firestore:indexes
Firebase Console will also prompt to create indexes when queries fail at runtime.