Roles & Permissions
The role-based access control (RBAC) system determines what users can see and do within Open Core Business Suite. This guide covers default roles, creating custom roles, and managing access.
Understanding RBAC
Key Concepts
| Term | Description |
|---|---|
| Role | A named collection of settings and permissions (e.g., Admin, Manager) |
| Permission | A specific action or access right granted through modules |
| User | An individual account with a role assigned |
How It Works
- Roles define access capabilities and feature toggles
- Users are assigned a role during employee creation
- The system checks the user's role for every action
Built-In Roles
Open Core Business Suite includes these pre-configured built-in roles that cannot be deleted:
| Role | System Name | Description |
|---|---|---|
| Super Admin | super_admin | Full system access with no restrictions |
| Admin | admin | Administrative access with most capabilities |
| HR | hr | Human resources management focus |
| Manager | manager | Team management access |
| Office Employee | office_employee | Standard office-based employee |
| Field Employee | field_employee | Field/mobile workforce employee |
Super Admin
Full system access with no restrictions:
- All features and data accessible
- Cannot be deleted or disabled
- System configuration access
- User and role management
- Module activation control
Limit Super Admin accounts. This role has unrestricted access to all system functions and data.
Role Configuration
Role Settings
Each role includes the following configuration options:
| Setting | Description |
|---|---|
| Role Name | Display name for the role (must be unique) |
| Multi Check-In/Out | Allow multiple attendance check-ins per day |
| Mobile App Access | Enable access to the mobile application |
| Web App Access | Enable access to the web application |
| Location Activity Tracking | Enable GPS/location tracking for this role |
Creating Custom Roles
- Navigate to Roles from the sidebar (it is a top-level menu item)
- Click Add New Role
- Enter the role name
- Configure the role settings (mobile access, web access, etc.)
- Save the role
Editing Roles
- Navigate to Roles
- Click Edit on the role you want to modify
- Update the name and settings
- Save changes
Deleting Roles
Roles can only be deleted if:
- The role is not a built-in role
- No users are currently assigned to the role
If users are assigned, reassign them to a different role first.
Assigning Roles to Users
During Employee Creation
- In the employee creation form, select the Role from the dropdown
- The role determines the employee's access level and feature toggles
Changing User Roles
- Navigate to the employee's profile
- Click Edit
- Change the Role selection
- Save changes
Role changes take effect immediately. The user may need to refresh their browser to see updated access.
Module-Level Permissions
Individual modules (addons) may define their own permissions that are checked independently. When a module is enabled, its specific permissions become available. Module permissions are typically managed within each module's settings.
Best Practices
Role Design
- Use the built-in roles as a starting point
- Create custom roles for specific job functions when needed
- Keep the number of roles manageable
- Use descriptive names that match your organizational structure
Security Considerations
- Limit Super Admin accounts (1-2 maximum)
- Configure mobile and web access appropriately per role
- Enable location tracking only for roles that require it (e.g., field employees)
- Review role assignments periodically
Maintenance
- Review roles quarterly
- Update when job functions change
- Remove terminated user access promptly
Troubleshooting Access Issues
User Cannot Access Feature
- Check the user's assigned role
- Verify the relevant module is enabled
- Clear browser cache
- Have user log out and back in
Audit Trail
Review access and changes:
- Navigate to Audit Logs from the sidebar
- Filter by user
- Review logged actions
Next: Learn about Settings to configure global application options.