User Roles & Permissions
Understanding the role-based access control system in Stripes and how permissions are managed across different organizational levels.
Role Hierarchy Overview
Stripes implements a sophisticated multi-level permission system that operates at both system and project levels, ensuring secure and appropriate access to functionality based on user responsibilities.
System Roles vs Project Roles
The application distinguishes between two types of roles:
- System Roles: Define global access and administrative capabilities
- Project Roles: Define access within specific projects and operational contexts
System Roles
System roles control access to administrative functions and define what users can do at the organizational level.
superAdmin
Scope: Global system administration
Capabilities:
- Complete system access and configuration
- Create and manage all clients, branches, and organizations
- Access to all system modules and functions
- User account creation and role assignment across all organizations
- System-wide settings and configuration management
- Backup, restore, and system maintenance operations
- Access to all audit logs and system reports
Typical Users: System administrators, IT support staff
Access Areas:
- All System Module functions
- Global settings and configurations
- Cross-client reporting and analytics
- System maintenance and monitoring tools
admin
Scope: Client-level administration
Capabilities:
- Full administrative access within assigned clients
- Create and manage branches within their clients
- Manage teams and user accounts for their organization
- Configure client-specific settings and preferences
- Access to all modules within their client scope
- Project creation and management across all branches
Typical Users: Organization administrators, IT managers
Access Areas:
- Client-specific System Module functions
- All Preparation and Execution modules for their clients
- Client-level reporting and analytics
- Branch and team management
teamAdmin
Scope: Team-level administration
Capabilities:
- Manage team members and assignments
- Configure team-specific settings
- Create and manage projects for their teams
- Access to Preparation and Execution modules for their teams
- Team performance monitoring and reporting
Typical Users: Team leaders, department managers
Access Areas:
- Team management functions
- Project creation for their teams
- Team-specific reporting
- Limited System Module access
userAdmin
Scope: User management
Capabilities:
- Create and manage user accounts within their scope
- Assign project roles to users
- Manage user permissions and access
- Monitor user activity and performance
Typical Users: HR administrators, project coordinators
Access Areas:
- User management interfaces
- Role assignment functions
- User activity reporting
Project Roles
Project roles define what users can do within specific stocktaking projects during execution.
teamManager
Scope: Project-level team management
Capabilities:
- Oversee project execution and progress
- Assign zones and tasks to team members
- Monitor project quality and performance
- Access to all project data and reporting
- Approve or reject scan results and verifications
- Manage project timeline and resource allocation
Typical Users: Project managers, senior supervisors
Access During Project:
- Full project dashboard access
- Zone assignment and management
- Quality management and verification
- Project export and reporting
- Team performance monitoring
areaManager
Scope: Area or zone-level management
Capabilities:
- Manage specific areas or zones within projects
- Assign tasks to employees in their areas
- Review and verify scan results for their zones
- Monitor area-specific performance metrics
- Escalate issues to team managers
Typical Users: Area supervisors, floor managers
Access During Project:
- Area-specific dashboard views
- Zone management for assigned areas
- Scan verification for their zones
- Area-specific reporting
employee
Scope: Task execution
Capabilities:
- Execute assigned stocktaking tasks
- Perform scanning operations
- Update task status and progress
- Access basic project information
- Submit issues and requests for assistance
Typical Users: Stock counters, field workers
Access During Project:
- Task-specific interfaces
- Scanning functionality
- Basic progress reporting
- Help and support features
Permission Matrix
Module Access by System Role
| Module | superAdmin | admin | teamAdmin | userAdmin |
|---|---|---|---|---|
| System Module | Full | Client-scope | Team-scope | Limited |
| Teams | ✓ All | ✓ Client | ✓ Own team | ✗ |
| Users | ✓ All | ✓ Client | ✓ Team | ✓ Assigned |
| Clients | ✓ All | ✓ Own | ✗ | ✗ |
| Branches | ✓ All | ✓ Client | ✗ | ✗ |
| Projects | ✓ All | ✓ Client | ✓ Team | ✗ |
| Settings | ✓ All | ✓ Client | ✓ Team | ✗ |
| Devices | ✓ All | ✓ Client | ✓ Team | ✗ |
| Preparation Module | ✓ All | ✓ Client | ✓ Team | ✗ |
| Execution Module | ✓ All | ✓ Client | ✓ Team | ✗ |
Project Access by Project Role
| Feature | teamManager | areaManager | employee |
|---|---|---|---|
| Project Dashboard | Full access | Area-specific | Limited view |
| Live Statistics | ✓ All | ✓ Area | ✓ Own tasks |
| Planning | ✓ Manage | ✓ Area only | ✗ |
| Zone Assignment | ✓ All zones | ✓ Own areas | ✗ |
| Scanning Operations | ✓ Monitor | ✓ Execute | ✓ Execute |
| Scan Review | ✓ All | ✓ Area | ✓ Own |
| Verification | ✓ All | ✓ Area | ✗ |
| Quality Management | ✓ Full | ✓ Area | ✗ |
| Export & Reporting | ✓ All | ✓ Area | ✗ |
Permission Inheritance
Hierarchical Inheritance
Permissions flow down through organizational and project hierarchies:
superAdmin → admin → teamAdmin → userAdmin
↓
teamManager → areaManager → employee
Scope Limitations
Each role can only operate within their assigned scope:
- Geographic Scope: Clients → Branches → Teams
- Project Scope: Organization → Projects → Zones → Tasks
- Functional Scope: Module access based on role level
Role Assignment Process
System Role Assignment
By superAdmin
- Access System Module → Users
- Select user account
- Edit system role assignment
- Define client/branch scope if applicable
- Save changes
Role Inheritance
- Users inherit minimum permissions from their system role
- Additional project roles can be assigned per project
- Roles can be temporary or permanent
Project Role Assignment
During Project Creation
- Project creator assigns initial team roles
- Team managers can assign area managers
- Area managers can assign employees to specific zones
Dynamic Assignment
- Roles can be modified during project execution
- Temporary role elevation for specific tasks
- Emergency role reassignment capabilities
Security Considerations
Access Control Implementation
Route Protection
- All routes are protected by role requirements
- Middleware checks permissions before page access
- Real-time permission validation
Data Filtering
- Database queries automatically filter by user scope
- API endpoints respect role limitations
- Client-side UI elements hide unauthorized features
Session Management
- Role permissions cached in user sessions
- Automatic session refresh on role changes
- Session timeout based on role security level
Audit and Compliance
Permission Tracking
- All role assignments are logged
- Permission changes create audit trails
- Regular access reviews and reporting
Compliance Features
- Role-based data access logging
- Regulatory compliance reporting
- Data retention policy enforcement
Best Practices
Role Assignment Guidelines
Principle of Least Privilege
- Assign minimum permissions required for job function
- Regular review and removal of unused permissions
- Time-limited elevated access when needed
Separation of Duties
- No single user should have complete control
- Critical operations require multiple approvals
- Regular rotation of administrative responsibilities
Organizational Structure
Clear Hierarchy
- Define clear reporting relationships
- Match system roles to organizational structure
- Regular alignment reviews
Training and Documentation
- Role-specific training programs
- Clear documentation of responsibilities
- Regular updates on permission changes
Security Monitoring
Regular Audits
- Periodic review of all role assignments
- Analysis of access patterns and usage
- Identification of unnecessary permissions
Anomaly Detection
- Monitor for unusual access patterns
- Alert on permission escalation attempts
- Track failed authorization attempts
Common Role Scenarios
Multi-Client Organization
- superAdmin manages multiple client organizations
- Each client has dedicated admin users
- Cross-client reporting limited to superAdmin
Distributed Teams
- Regional teamAdmin roles for different geographic areas
- Project-specific role assignments
- Temporary role elevation for coverage
Contractor Management
- Limited-scope roles for external contractors
- Time-limited access assignments
- Restricted data access based on contract terms
Emergency Procedures
- Emergency role escalation procedures
- Temporary admin access protocols
- Audit trail for emergency actions