Roles & Permissions
The exact capabilities and boundaries of Super Admin, Site Admin, Department Admin, and User.
The platform enforces authorization on two layers, both server-side:
- RBAC — a coarse role → permission grant (what actions a role may perform).
- ABAC — department scope (which departments' data the actor may touch).
A capability is only allowed when both layers permit it.
Permission matrix
| Capability | Super Admin | Site Admin | Dept Admin | User |
|---|---|---|---|---|
| Provision / manage sites (tenants) | ✅ | — | — | — |
| Set a site's initial branding (at creation) | ✅ | — | — | — |
| Edit branding (name, colors, logo, login background) | ❌ | ✅ | — | — |
| Manage departments (create/rename/archive/restore) | ❌ | ✅ | — | — |
| Manage documents (upload/replace/delete/retry) | ❌ | ✅ | ✅ (own depts) | — |
| Invite users | ✅ (Site Admins only) | ✅ (dept_admin, user) | ✅ (user, own depts) | — |
| Change an existing user's role | ❌ | ✅ | — | — |
| Manage department memberships / appoint dept admins | ❌ | ✅ | ✅ (own depts; can't appoint admins) | — |
| Break-glass: deactivate / reactivate / reset password | ✅ | ✅ | — | — |
| Ask the assistant (chat) | ✅¹ | ✅¹ | ✅ | ✅ |
| View audit trail | ✅ | ✅ | — | — |
| View / edit own profile | ✅ | ✅ | ✅ | ✅ |
¹ Admin roles retain the chat permission, but their workspace is governance-focused; the conversational
surface is the day-to-day home for dept_admin and user.
Department (data) scope
| Super Admin | Site Admin | Dept Admin | User | |
|---|---|---|---|---|
| Departments in scope | None | All in the site | The department(s) they administer | The department(s) they belong to |
| Can read documents in… | Nothing | Any dept in the site | Own dept(s) | Own dept(s) |
The Super Admin's empty department scope is deliberate (see F21 governance): it means no platform operator can view, upload, or retrieve any tenant's documents or department data.
Who can create whom
| Actor | May create / invite |
|---|---|
| Super Admin | Site Admin only |
| Site Admin | Department Admin, User |
| Department Admin | User (within their own departments) |
| User | — |
No one can create another Super Admin through the console; platform operators are provisioned out of band. No role can escalate a user to Super Admin.
Key boundary rules
- Super Admins are walled off from tenant-internal data. They govern the platform (sites, Site-Admin invitations, break-glass) but cannot open Departments, Documents, or a standalone Branding editor, and are excluded from department member pickers and member lists.
- Site Admins own their tenant end-to-end but only their own site.
- Department Admins are scoped to their department(s) — they manage members and documents there, but cannot appoint other department admins (that's a Site Admin action).
- Users are read/ask-only, limited to their department memberships.