Role & Permissions
The application uses a Role & Permission Matrix configurable by Super Admin.
Access the matrix
Settings → Roles & Permissions (Super Admin only)
Roles
| Role | Code | Default scope |
|---|---|---|
| Super Admin | super_admin | Full access — cannot be restricted |
| Administrator | admin | Broad operational + org management |
| IT Manager | it_manager | Assets, requests, integrations, org |
| Finance | finance | Read assets, financial data, reports |
| Read-Only User | read_only_user | View assets, requests, reports |
| Employee User | user | Own assets, create requests |
Permission groups
| Group | Permissions |
|---|---|
| Assets | assets.read, assets.write, assets.delete, assets.finance, assets.discovery |
| Asset requests | requests.read, requests.write, requests.review |
| Reports | reports.read |
| Employees | users.read, users.write |
| Departments | departments.read, departments.write |
| Locations | locations.read, locations.write |
| Organizations | organizations.read, organizations.write |
| Site map | sitemap.read, sitemap.draw, sitemap.floors |
| Administration | settings.manage, audit.read, webhooks.manage, integrations.manage |
How permissions apply
- Sidebar navigation — menu items hidden if role lacks permission
- Route guards —
ProtectedRouteblocks direct URL access - In-page actions — buttons check
hasPermission()from Auth context - Site map — draw mode requires
sitemap.draw; add/remove floors requiressitemap.floors
Saving changes
- Toggle checkboxes in the matrix
- Click Save permissions
- Stored in Firestore
settings/rolePermissions - Users should refresh or re-login to pick up changes
User-specific overrides (site map)
Settings → Platform → Site map user overrides
Grant specific users draw or floor-edit access even if their role does not include it.
Reset to defaults
Click Reset to defaults in the matrix to restore built-in role permissions from src/utils/rbac.ts.
Implementation reference
| File | Purpose |
|---|---|
src/utils/rbac.ts | Default permissions, hasPermission() |
src/services/rolePermissionSettingsService.ts | Firestore load/save |
src/context/RolePermissionsContext.tsx | Loads overrides on login |
src/components/settings/RolePermissionMatrixCard.tsx | Matrix UI |
Firestore requirement
Deploy rules with settings/rolePermissions write access for Super Admin before saving the matrix.
firebase deploy --only firestore:rules