Admin Roles & Permissions
This page explains how to design admin roles for the Colabmacs admin interface.
For the conceptual background on system roles, provided roles, and how roles interact with Access Rules, see Authorization.
Admin Access Model
The admin side of the app is permission-gated in two layers:
- A user must have
access novato enter the admin interface at all - Once inside Nova, each admin resource and menu item is shown only if the user has the corresponding
manage xxxpermission
This means a user can have access nova but still see only a small subset of the admin area.
Recommended Pattern
When building admin roles, start with access nova, then add only the specific manage xxx permissions needed for that job function.
How Nova Visibility Works
If a user is missing a Nova page, tool, or menu item, check permissions in this order:
- Confirm the user has
access nova - Confirm the user has the matching
manage xxxpermission for that resource - Confirm the user’s role changes have been saved and the permissions cache has been flushed if needed
Examples:
- To see Resources, the user needs
manage resources - To see Infrastructure, the user needs
manage infrastructure - To see Interlocks, the user needs
manage interlocks - To see Invoices, the user needs
manage invoices - To see Training Records, the user needs
manage training records
This approach makes it much easier to create focused admin roles without exposing unrelated parts of the system.
Creating and Managing Admin Roles
When creating or editing an admin role:
- Choose a clear, descriptive name
- Add
access novaif the role should use the admin interface - Assign only the permissions required for that responsibility
- Follow the principle of least privilege
Best Practice
Design roles around job functions, not individuals.
The recommended process is:
- Start with
access nova - Add the specific
manage xxxpermissions for the resources that role should administer - Avoid broad catch-all roles unless the user truly needs cross-functional access
- Test the role using a non-admin account before assigning it widely
Example: tool-manager
A focused tool-manager role might include:
access novamanage resourcesmanage infrastructuremanage resource configurationsmanage resource typesmanage interlocksmanage downtimesmanage schedulesmanage business hoursmanage locationsmanage processesmanage process areasmanage materials
This role lets a staff member manage equipment and operational setup without giving them access to billing, user administration, or training administration.
Common Admin Role Examples
These are starting points, not mandatory templates. Each facility should adjust them to match its actual workflows.
billing-admin
Typical permissions:
access novamanage chargesmanage invoicesmanage statementsmanage ratesmanage billing rulesmanage quotesmanage subscriptionsmanage usage records
Use this role for finance or operations staff who need to review usage-derived billing, invoices, statements, and recurring subscription billing.
resource-admin
Typical permissions:
access novamanage resourcesmanage infrastructuremanage resource configurationsmanage resource typesmanage interlocksmanage downtimesmanage schedulesmanage business hoursmanage locationsmanage materialsmanage processesmanage process areasmanage access rules
Use this role for tool, lab, or facility managers responsible for operational resource setup and availability.
training-admin
Typical permissions:
access novamanage trainingsmanage training sessionsmanage training recordsmanage requestsmanage request types
Depending on your workflow, this role may also need:
manage resourcesmanage users
Use this role for staff who coordinate onboarding, training delivery, certification, and retraining.
system-admin
Typical permissions:
access novamanage usersmanage rolesmanage permissionsmanage teamsmanage projectsmanage request typesmanage locationsmanage resourcesmanage trainingsmanage invoicesmanage statements
This role is appropriate for a trusted facility administrator who configures the platform across multiple areas.
System Administrator Caution
Even for high-trust administrators, prefer assigning the specific manage xxx permissions they need rather than using manage application.
Troubleshooting Missing Admin Items
If an administrator says:
- “I can’t get into the admin area”
- “The menu item is missing”
- “Another admin can see this page, but I can’t”
check the following:
- Does the user have
access nova? - Does the user have the correct
manage xxxpermission? - Was the role actually assigned to the user?
- Has the permissions cache been flushed after changing the role?
Flushing Permissions Cache
Due to permission caching, if you modify the permissions of a role, you will need to flush the cache in order for the changes to take immediate effect.
To flush the permissions cache, navigate to Authorization → Roles or Authorization → Permissions and click the Flush Permissions Cache button.
Appendix: Common Admin manage xxx Permissions
The full permission list in Colabmacs is extensive. For most admin-role design, the most important permissions are the Nova-facing manage xxx permissions listed below.
Core Administration
| Admin Area | Permission |
|---|---|
| Admin interface access | access nova |
| Roles | manage roles |
| Permissions | manage permissions |
| Users | manage users |
| Teams | manage teams |
| Projects | manage projects |
| Project types | manage project types |
| Project users | manage project users |
| Tags | manage tags |
Resources & Operations
| Admin Area | Permission |
|---|---|
| Resources | manage resources |
| Infrastructure | manage infrastructure |
| Resource configurations | manage resource configurations |
| Resource types | manage resource types |
| Interlocks | manage interlocks |
| Downtimes | manage downtimes |
| Schedules | manage schedules |
| Business hours | manage business hours |
| Locations | manage locations |
| Materials | manage materials |
| Processes | manage processes |
| Process areas | manage process areas |
| Access rules | manage access rules |
| Options | manage options |
| Parameters | manage parameters |
| Media | manage media |
| Samples | manage samples |
| Calendars | manage calendars |
| Events | manage events |
| Event types | manage event types |
Training
| Admin Area | Permission |
|---|---|
| Trainings | manage trainings |
| Training sessions | manage training sessions |
| Training records | manage training records |
Requests & Communication
| Admin Area | Permission |
|---|---|
| Requests | manage requests |
| Request types | manage request types |
| Broadcast messages | manage broadcast messages |
| Group communications | manage group communications |
Billing
| Admin Area | Permission |
|---|---|
| Charges | manage charges |
| Invoices | manage invoices |
| Statements | manage statements |
| Usage records | manage usage records |
| Usage sessions | manage usage sessions |
| Rates | manage rates |
| Billing rules | manage billing rules |
| Quotes | manage quotes |
| Subscriptions | manage subscriptions |
Other Available manage xxx Permissions
Depending on your setup, you may also use:
manage addressesmanage notifiable subscriptionsmanage export batchesmanage export batch items