[{"data":1,"prerenderedAt":800},["ShallowReactive",2],{"guide:en:authorization":3},{"id":4,"title":5,"body":6,"description":792,"extension":793,"meta":794,"navigation":795,"path":796,"seo":797,"stem":798,"__hash__":799},"guide_en/en/user/authorization/index.md","Authorization — Admin Rights and Role Restrictions",{"type":7,"value":8,"toc":775},"minimark",[9,14,27,32,35,57,60,63,67,70,75,146,151,171,176,187,191,202,205,210,233,238,247,250,282,286,292,297,325,330,344,348,354,364,367,373,379,382,388,394,397,401,407,412,418,424,428,439,443,448,462,467,481,485,490,510,515,532,537,548,552,560,573,578,583,589,594,600,605,611,614,618,623,637,642,656,660,665,676,681,692,697,708,713,724,729,740,745,756,761],[10,11,13],"h1",{"id":12},"authorization","Authorization",[15,16,17,18,22,23,26],"p",{},"Authorization defines what users can and cannot do after authentication. Aptli combines two independent layers: permissive ",[19,20,21],"strong",{},"admin rights"," (what you can do) and restrictive ",[19,24,25],{},"role restrictions"," (what you cannot see). Together they give administrators fine-grained control over both capabilities and data visibility.",[28,29,31],"h2",{"id":30},"authorization-model-overview","Authorization Model Overview",[15,33,34],{},"Aptli's full security model has three layers:",[36,37,38,45,51],"ol",{},[39,40,41,44],"li",{},[19,42,43],{},"Authentication"," — Who you are (covered in the Authentication section)",[39,46,47,50],{},[19,48,49],{},"Admin Rights"," — What you CAN modify (permissive grants)",[39,52,53,56],{},[19,54,55],{},"Role Restrictions"," — What you CANNOT see (restrictive filters)",[15,58,59],{},"All restrictions are enforced on the server — unauthorized data is never sent to your browser, regardless of what you try through the UI, API, or exports.",[15,61,62],{},"This model provides tremendous flexibility while maintaining security.",[28,64,66],{"id":65},"admin-rights-permissive","Admin Rights (Permissive)",[15,68,69],{},"Admin rights grant permission to modify information or alter status. Without these rights, users can only view data and edit their own profile.",[15,71,72],{},[19,73,74],{},"Common Admin Rights:",[76,77,78,85,91,97,103,116,128,134,140],"ul",{},[39,79,80,84],{},[81,82,83],"code",{},"usersUpdate"," - Edit other users' profiles (name, title, division - NOT email/password)",[39,86,87,90],{},[81,88,89],{},"usersLogout"," - Force logout or hard lock users",[39,92,93,96],{},[81,94,95],{},"usersDelete"," - Delete user accounts",[39,98,99,102],{},[81,100,101],{},"usersCreate"," - Create new users or undelete accounts",[39,104,105,108,109,108,112,115],{},[81,106,107],{},"pointsCreate",", ",[81,110,111],{},"pointsUpdate",[81,113,114],{},"pointsDelete"," - Modify point features",[39,117,118,108,121,108,124,127],{},[81,119,120],{},"workOrdersCreate",[81,122,123],{},"workOrdersUpdate",[81,125,126],{},"workOrdersDelete"," - Manage work orders",[39,129,130,133],{},[81,131,132],{},"assignmentsCreate"," - Create work assignments",[39,135,136,139],{},[81,137,138],{},"reportsCreate"," - Submit work reports",[39,141,142,145],{},[81,143,144],{},"transactionsCreate"," - Create inventory transactions",[15,147,148],{},[19,149,150],{},"Super Rights (Supercede All Others):",[76,152,153,159,165],{},[39,154,155,158],{},[81,156,157],{},"appSettingSchemasModify"," - Modify application-level settings (domains, timeouts, security)",[39,160,161,164],{},[81,162,163],{},"adminRightsModify"," - Grant admin rights to other users",[39,166,167,170],{},[81,168,169],{},"viewDeleted"," - See deleted records (nearly universal, partially overridden by role restrictions)",[15,172,173],{},[19,174,175],{},"Checking User's Admin Rights:",[36,177,178,181,184],{},[39,179,180],{},"Navigate to Admin → Users",[39,182,183],{},"Open user profile",[39,185,186],{},"\"Admin Rights\" section lists all granted permissions",[28,188,190],{"id":189},"role-restrictions-restrictive","Role Restrictions (Restrictive)",[15,192,193,198],{},[194,195],"img",{"alt":196,"src":197},"Roles List","/guide/authorization/roles-list.png",[199,200,201],"em",{},"Roles administration page showing configured role restrictions",[15,203,204],{},"Roles are collections of restrictions that prevent viewing and altering records with certain characteristics. Membership in a role applies all restrictions to that user.",[15,206,207],{},[19,208,209],{},"Role Components:",[76,211,212,218,228],{},[39,213,214,217],{},[19,215,216],{},"Members"," - Users who have these restrictions applied",[39,219,220,223,224,227],{},[19,221,222],{},"Owner"," - User who controls membership (or users with ",[81,225,226],{},"rolesUpdate"," admin right)",[39,229,230,232],{},[19,231,55],{}," - Field-level filters hiding specific data",[234,235,237],"h3",{"id":236},"role-restriction-structure","Role Restriction Structure",[15,239,240,244],{},[194,241],{"alt":242,"src":243},"Role Detail","/guide/authorization/role-detail.png",[199,245,246],{},"Role detail page showing field-level restriction configuration",[15,248,249],{},"Each restriction defines:",[76,251,252,258,264,270,276],{},[39,253,254,257],{},[19,255,256],{},"Model"," - Which data type (points, polygons, assignments, etc.)",[39,259,260,263],{},[19,261,262],{},"Field"," - Which property to filter on (owner, status, category, custom fields)",[39,265,266,269],{},[19,267,268],{},"Comparison"," - How to match (=, !=, >, \u003C, contains, etc.)",[39,271,272,275],{},[19,273,274],{},"Filter Value"," - What value to match against",[39,277,278,281],{},[19,279,280],{},"Permissions"," - What's blocked (read, edit, create, delete)",[234,283,285],{"id":284},"example-use-case-contractor-separation","Example Use Case: Contractor Separation",[15,287,288,291],{},[19,289,290],{},"Scenario:"," Prevent Contractor A from seeing Contractor B's work",[15,293,294],{},[19,295,296],{},"Setup:",[36,298,299,302,322],{},[39,300,301],{},"Create role: \"Contractor A\"",[39,303,304,305],{},"Add role restriction:\n",[76,306,307,310,313,316,319],{},[39,308,309],{},"Model: Point (features)",[39,311,312],{},"Field: owner",[39,314,315],{},"Comparison: =",[39,317,318],{},"Filter Value: Contractor B",[39,320,321],{},"Permissions: Read ✓, Edit ✓, Create ✓, Delete ✓ (all true = cannot do any of these)",[39,323,324],{},"Add Contractor A's users as members",[15,326,327],{},[19,328,329],{},"Result:",[76,331,332,335,338,341],{},[39,333,334],{},"Contractor A members cannot see any points where owner = \"Contractor B\"",[39,336,337],{},"Not just hidden in UI - API returns data as if records don't exist",[39,339,340],{},"Cannot accidentally see via screenshot, API call, or export",[39,342,343],{},"Fully server-side enforced",[234,345,347],{"id":346},"additional-use-cases","Additional Use Cases",[15,349,350,353],{},[19,351,352],{},"By Work Stage:","\nPrevent field workers from seeing QC validation reports:",[355,356,361],"pre",{"className":357,"code":359,"language":360},[358],"language-text","Role: \"Field Workers\"\nRestriction:\n  Model: Validation\n  Field: status\n  Comparison: !=\n  Filter Value: \"\" (any value)\n  Permissions: Read ✓\n","text",[81,362,359],{"__ignoreMap":363},"",[15,365,366],{},"Field workers cannot see validations at all.",[15,368,369,372],{},[19,370,371],{},"By Asset Type:","\nSeparate infrastructure teams (poles/ducts vs. active equipment):",[355,374,377],{"className":375,"code":376,"language":360},[358],"Role: \"Civil Team\"\nRestriction:\n  Model: Point\n  Field: category\n  Comparison: =\n  Filter Value: \"Active Equipment\"\n  Permissions: Read ✓, Edit ✓, Create ✓, Delete ✓\n",[81,378,376],{"__ignoreMap":363},[15,380,381],{},"Civil team cannot see or modify active equipment points.",[15,383,384,387],{},[19,385,386],{},"By Physical/Logical:","\nSeparate office data access (capacity relationships vs. office locations):",[355,389,392],{"className":390,"code":391,"language":360},[358],"Role: \"Capacity Analysts\"\nRestriction:\n  Model: Point\n  Field: layer\n  Comparison: =\n  Filter Value: \"Office Locations\"\n  Permissions: Edit ✓, Create ✓, Delete ✓\n",[81,393,391],{"__ignoreMap":363},[15,395,396],{},"Analysts can view offices but not modify locations (read-only).",[28,398,400],{"id":399},"combining-admin-rights-role-restrictions","Combining Admin Rights + Role Restrictions",[15,402,403,406],{},[19,404,405],{},"Default Behavior:","\nAll users can see everything but cannot alter anything (without admin rights).",[15,408,409],{},[19,410,411],{},"Adding Write Access with Restrictions:",[15,413,414,417],{},[19,415,416],{},"Example:"," Field workers can edit their own work but not others'",[355,419,422],{"className":420,"code":421,"language":360},[358],"Admin Rights:\n  - reportsCreate: true\n  - reportsUpdate: true\n\nRole Restrictions:\n  Model: Report\n  Field: reportedBy\n  Comparison: !=\n  Filter Value: [current user ID]\n  Permissions: Edit ✓\n",[81,423,421],{"__ignoreMap":363},[15,425,426],{},[19,427,329],{},[76,429,430,433,436],{},[39,431,432],{},"Workers can create reports (admin right granted)",[39,434,435],{},"Workers can edit ONLY their own reports (role restriction filters out others)",[39,437,438],{},"Cannot see or modify other workers' reports",[28,440,442],{"id":441},"server-side-enforcement","Server-Side Enforcement",[15,444,445],{},[19,446,447],{},"How It Works:",[76,449,450,453,456,459],{},[39,451,452],{},"All queries filtered before data is returned",[39,454,455],{},"Role restrictions applied on the server (not just UI hiding)",[39,457,458],{},"Users cannot bypass via direct API calls, browser tools, or exports",[39,460,461],{},"Data truly doesn't exist for unauthorized users",[15,463,464],{},[19,465,466],{},"Security Implications:",[76,468,469,472,475,478],{},[39,470,471],{},"Screenshot of someone else's screen won't help (data won't load for you)",[39,473,474],{},"Cannot export restricted data (server enforces filters)",[39,476,477],{},"Cannot \"guess\" record IDs (filtered before ID lookup)",[39,479,480],{},"Records outside your permissions return as not found, even if you know the ID",[28,482,484],{"id":483},"managing-roles","Managing Roles",[15,486,487],{},[19,488,489],{},"Creating Roles:",[36,491,492,495,498,501,504,507],{},[39,493,494],{},"Navigate to Admin → Roles",[39,496,497],{},"Click \"Create Role\"",[39,499,500],{},"Enter role name and description",[39,502,503],{},"Add members (drag users into members field)",[39,505,506],{},"Add role restrictions (can have multiple)",[39,508,509],{},"Save",[15,511,512],{},[19,513,514],{},"Editing Roles:",[76,516,517,523,526,529],{},[39,518,519,520,522],{},"Only role owner OR users with ",[81,521,226],{}," admin right",[39,524,525],{},"Can add/remove members",[39,527,528],{},"Can modify restrictions",[39,530,531],{},"Can delete role (frees members from restrictions)",[15,533,534],{},[19,535,536],{},"Role Membership:",[76,538,539,542,545],{},[39,540,541],{},"Users can be in multiple roles (restrictions combined)",[39,543,544],{},"Leaving organization: Remove from all roles before deleting account",[39,546,547],{},"Bulk membership: Drag multiple users at once",[28,549,551],{"id":550},"customizing-authorization-for-new-users","Customizing Authorization for New Users",[15,553,554],{},[19,555,556,557,559],{},"App Settings Configuration (Requires ",[81,558,157],{},"):",[36,561,562,565,568,571],{},[39,563,564],{},"Navigate to App Settings → Authentication",[39,566,567],{},"\"Roles for New Users\" - Auto-assign roles to new accounts",[39,569,570],{},"\"Admin Rights for New Users\" - Default permissions granted",[39,572,509],{},[15,574,575],{},[19,576,577],{},"Typical Configurations:",[15,579,580],{},[19,581,582],{},"Field Worker Defaults:",[355,584,587],{"className":585,"code":586,"language":360},[358],"Roles: [\"Field Workers\"]\nAdmin Rights: {\n  reportsCreate: true,\n  assignmentsRead: true\n}\n",[81,588,586],{"__ignoreMap":363},[15,590,591],{},[19,592,593],{},"Office Coordinator Defaults:",[355,595,598],{"className":596,"code":597,"language":360},[358],"Roles: []\nAdmin Rights: {\n  assignmentsCreate: true,\n  ordersCreate: true,\n  stockItemsView: true\n}\n",[81,599,597],{"__ignoreMap":363},[15,601,602],{},[19,603,604],{},"No Auto-Grant (Manual Review):",[355,606,609],{"className":607,"code":608,"language":360},[358],"Roles: []\nAdmin Rights: {} (none)\n",[81,610,608],{"__ignoreMap":363},[15,612,613],{},"Admins manually assign after account review.",[28,615,617],{"id":616},"viewing-effective-permissions","Viewing Effective Permissions",[15,619,620],{},[19,621,622],{},"For Specific User:",[36,624,625,628,631,634],{},[39,626,627],{},"Navigate to user profile",[39,629,630],{},"\"Admin Rights\" section - What they CAN do",[39,632,633],{},"\"Roles\" section - What they CANNOT see (via restrictions)",[39,635,636],{},"Combined view shows effective permissions",[15,638,639],{},[19,640,641],{},"Testing Permissions:",[36,643,644,647,650,653],{},[39,645,646],{},"Login as user (or impersonate with admin permission)",[39,648,649],{},"Navigate normally",[39,651,652],{},"Restricted data simply doesn't appear",[39,654,655],{},"Actions without admin rights disabled/hidden",[28,657,659],{"id":658},"best-practices","Best Practices",[15,661,662],{},[19,663,664],{},"Start Restrictive, Grant as Needed:",[76,666,667,670,673],{},[39,668,669],{},"New users get minimal permissions",[39,671,672],{},"Add admin rights as roles require",[39,674,675],{},"Easier to grant than revoke (avoids \"permission creep\")",[15,677,678],{},[19,679,680],{},"Use Roles for Data Visibility:",[76,682,683,686,689],{},[39,684,685],{},"Separate contractors (prevent competition intelligence)",[39,687,688],{},"Separate work stages (QC from field workers)",[39,690,691],{},"Separate asset types (infrastructure from active equipment)",[15,693,694],{},[19,695,696],{},"Use Admin Rights for Capabilities:",[76,698,699,702,705],{},[39,700,701],{},"Who can create assignments",[39,703,704],{},"Who can modify inventory",[39,706,707],{},"Who can grant permissions",[15,709,710],{},[19,711,712],{},"Document Role Purpose:",[76,714,715,718,721],{},[39,716,717],{},"Clear role name (\"Contractor A\" better than \"Role 1\")",[39,719,720],{},"Description explains restrictions",[39,722,723],{},"Helps future admins understand intent",[15,725,726],{},[19,727,728],{},"Regular Permission Audits:",[76,730,731,734,737],{},[39,732,733],{},"Quarterly review user admin rights",[39,735,736],{},"Remove unused rights (user changed roles)",[39,738,739],{},"Check role memberships (users left organization)",[15,741,742],{},[19,743,744],{},"Monitor Access Attempts:",[76,746,747,750,753],{},[39,748,749],{},"Log failed authorization attempts",[39,751,752],{},"Pattern of denials = user trying unauthorized access",[39,754,755],{},"Investigate and adjust permissions or educate user",[15,757,758],{},[19,759,760],{},"Principle of Least Privilege:",[76,762,763,766,769],{},[39,764,765],{},"Grant minimum permissions required for job function",[39,767,768],{},"Temporary elevated access for projects (remove after)",[39,770,771,772,774],{},"Super rights (",[81,773,163],{},") only to trusted admins",{"title":363,"searchDepth":776,"depth":776,"links":777},2,[778,779,780,786,787,788,789,790,791],{"id":30,"depth":776,"text":31},{"id":65,"depth":776,"text":66},{"id":189,"depth":776,"text":190,"children":781},[782,784,785],{"id":236,"depth":783,"text":237},3,{"id":284,"depth":783,"text":285},{"id":346,"depth":783,"text":347},{"id":399,"depth":776,"text":400},{"id":441,"depth":776,"text":442},{"id":483,"depth":776,"text":484},{"id":550,"depth":776,"text":551},{"id":616,"depth":776,"text":617},{"id":658,"depth":776,"text":659},"Control what users can do and what they can see. Aptli combines permissive admin rights (who can create, update, delete) with restrictive role restrictions (field-level server-side filters that hide data entirely).","md",{},true,"/en/user/authorization",{"title":5,"description":792},"en/user/authorization/index","IDj4xktNYAX2RNH0j72NqX9HpFGTEl8IxJnb_5xJqVU",1776295546620]