Smart Document Assistant

Roles & Permissions

The exact capabilities and boundaries of Super Admin, Site Admin, Department Admin, and User.

The platform enforces authorization on two layers, both server-side:

  1. RBAC — a coarse role → permission grant (what actions a role may perform).
  2. ABAC — department scope (which departments' data the actor may touch).

A capability is only allowed when both layers permit it.

Permission matrix

CapabilitySuper AdminSite AdminDept AdminUser
Provision / manage sites (tenants)
Set a site's initial branding (at creation)
Edit branding (name, colors, logo, login background)
Manage departments (create/rename/archive/restore)
Manage documents (upload/replace/delete/retry)(own depts)
Invite users(Site Admins only)(dept_admin, user)(user, own depts)
Change an existing user's role
Manage department memberships / appoint dept admins(own depts; can't appoint admins)
Break-glass: deactivate / reactivate / reset password
Ask the assistant (chat)✅¹✅¹
View audit trail
View / edit own profile

¹ Admin roles retain the chat permission, but their workspace is governance-focused; the conversational surface is the day-to-day home for dept_admin and user.

Department (data) scope

Super AdminSite AdminDept AdminUser
Departments in scopeNoneAll in the siteThe department(s) they administerThe department(s) they belong to
Can read documents in…NothingAny dept in the siteOwn dept(s)Own dept(s)

The Super Admin's empty department scope is deliberate (see F21 governance): it means no platform operator can view, upload, or retrieve any tenant's documents or department data.

Who can create whom

ActorMay create / invite
Super AdminSite Admin only
Site AdminDepartment Admin, User
Department AdminUser (within their own departments)
User

No one can create another Super Admin through the console; platform operators are provisioned out of band. No role can escalate a user to Super Admin.

Key boundary rules

  • Super Admins are walled off from tenant-internal data. They govern the platform (sites, Site-Admin invitations, break-glass) but cannot open Departments, Documents, or a standalone Branding editor, and are excluded from department member pickers and member lists.
  • Site Admins own their tenant end-to-end but only their own site.
  • Department Admins are scoped to their department(s) — they manage members and documents there, but cannot appoint other department admins (that's a Site Admin action).
  • Users are read/ask-only, limited to their department memberships.

On this page