Roles & Permissions

This guide explains the role-based access control (RBAC) system, how to create and manage roles, assign permissions, and best practices for access control.

---

Table of Contents

1. Overview
2. Understanding Roles
3. Understanding Permissions
4. Default Roles
5. Creating Custom Roles
6. Assigning Permissions
7. Managing Users and Roles
8. Permission Structure
9. Best Practices

---

Overview

What is RBAC?

Role-Based Access Control (RBAC) is a security system that restricts access based on user roles and permissions. Users are assigned roles, and roles are assigned permissions.

How It Works

Hierarchy:

1. Users are assigned Roles
2. Roles are assigned Permissions
3. Permissions control access to features

Benefits

• ✅ Centralized access control
• ✅ Easy to manage
• ✅ Scalable
• ✅ Secure
• ✅ Flexible

---

Understanding Roles

What are Roles?

Roles are collections of permissions that define what users can do in the system. Instead of assigning permissions to each user individually, you assign roles.

Role Characteristics

Properties:

• Name: Unique identifier
• Description: What the role is for
• Permissions: What the role can do
• Users: Who has this role

Role Types

System Roles

Characteristics:

• Pre-defined by system
• Cannot be deleted
• Core functionality
• Examples: super-admin, admin

Custom Roles

Characteristics:

• Created by administrators
• Can be deleted
• Custom permissions
• Flexible configuration

---

Understanding Permissions

What are Permissions?

Permissions are specific actions that can be performed in the system. They control access to features, modules, and functions.

Permission Format

Structure:

{action} {resource}

Examples:

• view posts - Can view blog posts
• create products - Can create products
• edit users - Can edit users
• delete tickets - Can delete tickets

Permission Types

Module Permissions

Standard Actions:

• view: View content
• create: Create new content
• edit: Edit existing content
• delete: Delete content
• manage: Full control

Examples:

• view posts
• create posts
• edit posts
• delete posts
• manage posts

System Permissions

Core Permissions:

• access admin panel - Access admin area
• manage settings - Change settings
• manage roles - Manage roles and permissions
• manage users - User management
• manage media - Media library access

Special Permissions

Module-Specific:

• reply tickets - Reply to support tickets
• edit own courses - Edit own courses only
• view own tickets - View own tickets only
• assign tasks - Assign tasks to users

---

Default Roles

Super Admin

Description:

• Full system access
• All permissions
• Cannot be restricted
• System administrator

Permissions:

• All permissions (via Gate)
• Cannot be limited
• Full control

Use For:

• System administrators
• Developers
• Full access needed

Admin

Description:

• Administrative access
• Most permissions
• Can manage users
• Can change settings

Permissions:

• access admin panel
• manage settings
• view users
• create users
• edit users
• delete users
• assign roles
• manage media
• Task management permissions
• Most module permissions

Use For:

• Administrators
• Managers
• Full management access

Instructor

Description:

• Course creation and management
• Limited admin access
• Focus on courses

Permissions:

• access admin panel
• view courses
• create courses
• edit courses
• edit own courses
• delete own courses
• Course-related permissions

Use For:

• Course instructors
• Teachers
• Content creators

Editor

Description:

• Content creation and editing
• Limited admin access
• Content focus

Permissions:

• access admin panel
• view posts
• create posts
• edit posts
• Content-related permissions

Use For:

• Content editors
• Writers
• Blog managers

Support Specialist

Description:

• Ticket management
• Customer support
• Limited admin access

Permissions:

• access admin panel
• view tickets
• reply tickets
• view own tickets
• Ticket-related permissions

Use For:

• Support staff
• Customer service
• Help desk

Student

Description:

• Regular user
• No admin access
• Frontend only

Permissions:

• Frontend access only
• No admin permissions
• Basic user permissions

Use For:

• Regular users
• Customers
• Students

---

Creating Custom Roles

Step 1: Access Roles

1. Navigate to Roles:
   • Go to Users → Roles
   • Or navigate to: /admin/roles

Step 2: Create New Role

1. Click Create:
   • Click Create New Role button
   • Role creation form appears

Step 3: Configure Role

Basic Information:

• Name: Role name (required, unique)
• Description: Role description (optional)
• Color: Role color (optional)
• Priority: Display priority (optional)

Settings:

• Active: Enable/disable role
• System Role: Mark as system role (cannot be deleted)

Step 4: Assign Permissions

1. Select Permissions:

   • Browse permission groups
   • Check permissions to grant
   • Uncheck to exclude

2. Permission Groups:

   • Core: System permissions
   • Users: User management
   • Content: Content modules
   • E-Commerce: E-commerce modules
   • Learning: Course modules
   • Support: Support modules
   • Business: Business modules
   • Productivity: Task management

Step 5: Save Role

1. Review:

   • Verify role name
   • Check permissions
   • Review settings

2. Save:

   • Click Save or Create
   • Role created
   • Available for assignment

---

Assigning Permissions

To Roles

Method 1: During Creation

1. Create Role:
   • Create new role
   • Select permissions
   • Save role

Method 2: Edit Existing Role

1. Edit Role:

   • Go to Roles → Edit
   • Find role to edit
   • Click Edit

2. Modify Permissions:

   • Check/uncheck permissions
   • Add new permissions
   • Remove permissions

3. Save:

   • Click Update
   • Permissions updated
   • Applied to all users with role

To Users

Direct Permission Assignment

1. Edit User:

   • Go to Users → Edit
   • Find user
   • Click Edit

2. Assign Permissions:

   • Go to Permissions section
   • Check permissions to grant
   • User-specific permissions

3. Save:

   • Click Update
   • Permissions assigned
   • Override role permissions

---

Managing Users and Roles

Assigning Roles to Users

Single User

1. Edit User:

   • Go to Users → Edit
   • Find user
   • Click Edit

2. Assign Role:

   • Go to Roles section
   • Select role(s)
   • User can have multiple roles

3. Save:

   • Click Update
   • Role assigned
   • Permissions updated

Bulk Assignment

1. Select Users:

   • Go to Users list
   • Select multiple users
   • Use checkboxes

2. Bulk Action:

   • Click Bulk Actions
   • Select Assign Role
   • Choose role

3. Apply:

   • Click Apply
   • All selected users get role
   • Permissions updated

Removing Roles

1. Edit User:

   • Go to Users → Edit
   • Find user
   • Click Edit

2. Remove Role:

   • Go to Roles section
   • Uncheck role
   • User loses role permissions

3. Save:

   • Click Update
   • Role removed
   • Permissions updated

---

Permission Structure

Permission Naming Convention

Format:

{action} {resource}

Actions:

• view - View content
• create - Create content
• edit - Edit content
• delete - Delete content
• manage - Full control

Resources:

• Module names (posts, products, etc.)
• System resources (users, settings, etc.)

Permission Groups

Core Permissions

• access admin panel
• manage settings
• manage roles
• manage users
• manage media

Module Permissions

Content Modules:

• view posts, create posts, edit posts, delete posts
• view testimonials, create testimonials, etc.
• view faqs, create faqs, etc.
• view kb, create kb, etc.

E-Commerce Modules:

• view products, create products, etc.
• view pricing-plans, create pricing-plans, etc.
• view services, create services, etc.

Learning Modules:

• view courses, create courses, etc.

Project Modules:

• view projects, create projects, etc.
• view case-studies, create case-studies, etc.
• view events, create events, etc.

Support Modules:

• view tickets, create tickets, etc.
• reply tickets
• view own tickets

Business Modules:

• view quotes, create quotes, etc.
• view causes, create causes, etc.
• view appointments, create appointments, etc.
• view jobs, create jobs, etc.

Productivity Modules:

• view tasks, create tasks, etc.
• assign tasks
• view own tasks
• manage projects

---

Best Practices

Role Design

1. Principle of Least Privilege:

   • Grant minimum necessary permissions
   • Only what's needed
   • Review regularly

2. Role Clarity:

   • Clear role names
   • Descriptive descriptions
   • Document purpose

3. Avoid Overlap:

   • Distinct roles
   • Clear boundaries
   • Avoid confusion

Permission Management

1. Regular Review:

   • Review permissions regularly
   • Remove unused permissions
   • Update as needed

2. Documentation:

   • Document custom roles
   • Note permission purposes
   • Keep records

3. Testing:

   • Test role permissions
   • Verify access control
   • Check restrictions

User Management

1. Assign Appropriate Roles:

   • Match role to user needs
   • Don't over-permission
   • Review assignments

2. Monitor Access:

   • Monitor user access
   • Review activity
   • Audit permissions

3. Remove Access Promptly:

   • Remove when no longer needed
   • Deactivate users
   • Revoke permissions

---

Troubleshooting

User Cannot Access Feature

Solutions:

1. Check user's role
2. Verify role has permission
3. Check user-specific permissions
4. Verify module is enabled
5. Clear cache

Permission Not Working

Solutions:

1. Verify permission exists
2. Check permission assigned to role
3. Verify user has role
4. Check for conflicts
5. Review policies

Role Not Appearing

Solutions:

1. Check role is active
2. Verify role exists
3. Check permissions
4. Clear cache
5. Refresh page

---

Related Documentation

• User Management
• Getting Started
• Security Best Practices

---

Last Updated: [Date will be updated during final review]