Skip to main content

Firestore Security Rules

Security rules are defined in firestore.rules at the repository root.

Deploy commands

# Rules only
firebase deploy --only firestore:rules

# Rules + indexes
firebase deploy --only firestore:rules,firestore:indexes

Key rule functions

FunctionDescription
isSignedIn()User is authenticated
isSuperAdmin()User document has super_admin role
canManageSettings()Super Admin only — settings writes
isUserManager()super_admin, admin, or it_manager
isOwnUserDoc(userId)User editing their own profile

Collection access summary

CollectionReadWrite
usersSigned inSelf or user manager
assetsSigned inSigned in
assetRequestsSigned inSigned in
departments, locations, organizationsSigned inSigned in
siteMapNodesSigned inSigned in
settings/rolePermissionsSigned inSuper Admin
settings/mapDesignerSigned inSuper Admin
settings/auth, settings/securityPublic readSuper Admin write
auditLogsSigned inSigned in

Production hardening

The default rules allow broad write access for authenticated users on operational collections. For production:

  1. Tighten assets and assetRequests writes by role
  2. Use custom claims or Firestore role checks matching the permission matrix
  3. Enable Firebase App Check

Role permissions document

Path: settings/rolePermissions

{
"rolePermissions": {
"admin": ["assets.read", "assets.write", "..."],
"it_manager": ["..."],
"finance": ["..."],
"read_only_user": ["..."],
"user": ["..."]
},
"updatedAt": "<timestamp>",
"updatedBy": "<uid>"
}

Must deploy rules including match /settings/rolePermissions before the permission matrix save works.

Indexes

Composite indexes are in firestore.indexes.json. Deploy with:

firebase deploy --only firestore:indexes

Firebase Console will also prompt to create indexes when queries fail at runtime.