Skip to main content

Understanding Roles & Permissions

Control what users can see and do in Infodeck by assigning roles with specific permissions.

Quick Summary

Infodeck uses a role-based access control (RBAC) system. Assign users to roles, and roles define what permissions they have.

Before You Begin

Requirements
  • You need roles:read to view roles
  • You need roles:create to create custom roles
  • You need roles:update to modify roles
  • Admin access to assign roles to users

How Permissions Work

👤 User → 🎭 Role → 📋 Policies → ✅ Permissions
ComponentDescriptionExample
UserIndividual accountjohn@company.com
RoleCollection of policies"Maintenance Manager"
PolicyRule defining accessAllow work-orders:*
PermissionSpecific actionwork-orders:create

System Roles

Infodeck includes system roles that come pre-configured:

RoleDescriptionTypical Users
AdministratorFull system control: manage users, teams, billing, and all settingsIT admins, system owners
ManagerOperational management: create work orders, assets, locations, configure IoTSupervisors, managers
Field TechnicianField operations: update assigned work orders, view assets, submit formsMaintenance staff
Tenant/RequesterBasic access: submit work requests, view assigned locations, fill formsGeneral staff, tenants
System Roles

System roles are protected and cannot be deleted. They provide the foundation for access control in your organization. Custom teams can be created with custom roles on Basic plan and above.

App Role Permissions Summary

CapabilityAdminApproverRequesterViewer
View work orders
Create work requests
Approve work orders
Create work orders
Manage users
Manage settings
View dashboards
Edit dashboards

Creating Custom Roles

Step 1: Open Role Settings

  1. Go to Settings in the sidebar
  2. Click Roles
  3. Click Create Role

Step 2: Define Role Basics

FieldRequiredDescription
NameYesRole name (e.g., "Facility Manager")
DescriptionNoPurpose of this role

Step 3: Add Policies

Policies define what the role can do:

{
  "resources": ["work-orders"],
  "actions": ["read", "create", "update"],
  "effect": "Allow"
}
Policy FieldOptionsDescription
Resourceswork-orders, assets, locations, etc.What to control
Actionsread, create, update, delete, *What operations
EffectAllow, DenyGrant or restrict

Step 4: Save Role

  1. Review policies
  2. Click Create or Save
  3. Role is available for assignment

Permission Categories

Work Orders

PermissionDescription
work-orders:readView work orders
work-orders:createCreate new work orders
work-orders:updateEdit work orders
work-orders:deleteDelete work orders
work-orders:approveApprove/reject work orders
work-orders:assignAssign work orders to users/teams

Assets

PermissionDescription
assets:readView assets
assets:createRegister new assets
assets:updateEdit asset information
assets:deleteRemove assets

Locations

PermissionDescription
locations:readView locations
locations:createCreate new locations
locations:updateEdit locations
locations:deleteRemove locations

Users & Teams

PermissionDescription
users:readView user list
users:inviteInvite new users
users:updateEdit user profiles
users:deleteDeactivate users
teams:createCreate teams
teams:updateEdit teams
teams:deleteRemove teams

Dashboards

PermissionDescription
decks:readView dashboards
decks:createCreate dashboards
decks:updateEdit dashboards
decks:deleteRemove dashboards

IoT & Integrations

PermissionDescription
iot:readView IoT devices
iot:manageSend commands, configure devices
integrations:manageConfigure integration services

Real-World Examples

Example 1: Create "Maintenance Supervisor" Role

Situation: Maintenance supervisors need to manage work orders and their team, but shouldn't access billing or system settings.

Solution:

  1. Go to Settings gearTeams / MembersTeams tab
  2. Click Create Role
  3. Enter:
    • Name: Maintenance Supervisor
    • Description: "Manage work orders and maintenance team"
  4. Add policies:
    Allow: work-orders:*
    Allow: assets:read
    Allow: locations:read
    Allow: teams:read
    Allow: users:read
  5. Save role
  6. Assign to supervisor users

Result: Supervisors can fully manage work orders and view assets/locations, but cannot modify system settings.

Example 2: Create "Read-Only Auditor" Role

Situation: External auditors need to view all data for compliance review but must not be able to change anything.

Solution:

  1. Go to Settings gearTeams / MembersTeams tab
  2. Click Create Role
  3. Enter:
    • Name: Compliance Auditor
    • Description: "Read-only access for external audits"
  4. Add policies:
    Allow: work-orders:read
    Allow: assets:read
    Allow: locations:read
    Allow: forms:read
    Allow: decks:read
  5. Explicitly deny write operations:
    Deny: *:create
    Deny: *:update
    Deny: *:delete
  6. Save role

Result: Auditors can view everything but cannot modify any records.

Example 3: Create "IoT Administrator" Role

Situation: IT team manages IoT devices and integrations but doesn't need access to work orders or user management.

Solution:

  1. Go to Settings gearTeams / MembersTeams tab
  2. Click Create Role
  3. Enter:
    • Name: IoT Administrator
    • Description: "Manage IoT devices and integration services"
  4. Add policies:
    Allow: iot:*
    Allow: integrations:*
    Allow: assets:read (view sensors as assets)
    Allow: decks:* (create IoT dashboards)
  5. Save role

Result: IT staff can fully manage IoT infrastructure without accessing operational features.

Example 4: Create "Building Manager" Role

Situation: Building managers need to see their building's work orders and assets but shouldn't access other buildings or system settings.

Solution:

  1. Go to Settings gearTeams / MembersTeams tab
  2. Click Create Role
  3. Enter:
    • Name: Building Manager
    • Description: "View and manage single building operations"
  4. Add policies:
    Allow: work-orders:read
    Allow: work-orders:create
    Allow: assets:read
    Allow: locations:read
    Allow: decks:read
  5. Combine with team-based access control:
    • Assign manager to building-specific team
    • Restrict asset visibility to team

Result: Manager sees only their building's data based on team membership.

Assigning Roles to Users

Step 1: Open User Profile

  1. Go to Settings gearTeams / Members
  2. Click on the user

Step 2: Update App Role

  1. Click Edit
  2. Find App Role field
  3. Select the appropriate role
  4. Click Save

Step 3: Verify Access

  1. User's permissions update immediately
  2. User may need to refresh their browser
  3. Test access to confirm correct permissions

Role Hierarchy and Conflicts

Policy Evaluation Order

When a user has multiple policies:

  1. Explicit Deny wins over Allow
  2. More specific policies override general ones
  3. If no matching policy, action is denied

Example Conflict Resolution

Policy 1: Allow work-orders:*
Policy 2: Deny work-orders:delete

Result: User can read, create, update work orders but CANNOT delete

Best Practices

Principle of Least Privilege

Grant only the permissions needed for the job:

Bad PracticeGood Practice
Give everyone AdminCreate specific roles
Use wildcard (*) everywhereList specific actions
One role for allRole per function

Regular Audits

FrequencyAction
MonthlyReview admin accounts
QuarterlyAudit all roles
AnnuallyFull permission review

Documentation

For each custom role, document:

  • Purpose and intended users
  • List of permissions
  • When it was created/modified
  • Approval process

Troubleshooting

User Can't Access Feature

IssueCauseSolution
Button disabledMissing permissionAdd permission to role
403 errorDenied by policyCheck for explicit Deny
Feature hiddenRole doesn't include itUpdate role policies

Permission Changes Not Working

IssueCauseSolution
Old permissions still activeBrowser cacheUser should refresh/logout
Changes not savedValidation errorCheck all required fields

Need help? Contact Infodeck Support

Was this page helpful?