Authorization
Overview
Colabmacs uses role-based access control (RBAC) to determine what users can see and do in the system. Authorization is built on two distinct role concepts that work together:
- System Roles – explicitly assigned to users by administrators
- Provided Roles – dynamically granted to users through valid Training Records
Both role types can be referenced by Access Rules to control booking, activation, and usage behavior.
Key Principle
Users should never be granted permissions directly. All access is managed through roles.
Role Types Explained
System Roles
System Roles are assigned directly to users and represent their functional responsibilities within the facility.
Examples include:
adminmanagertrainerstaffuser
System roles:
- Are long-lived
- Reflect organizational or job responsibilities
- Grant access to administrative features and UI sections
- Are managed exclusively by administrators
Example
A user with the trainer system role can manage training sessions and training records.
Provided Roles (Training-Based Roles)
Provided Roles are not assigned manually. They are automatically granted to users when they hold a valid Training Record.
Key characteristics:
- Derived from training completion
- Automatically added and removed as training records change state
- Only exist while the training record is Valid
- Used primarily for operational and safety-based access control
Example
Completing “Laser Cutter Certification” may provide the role laser-certified.
If the training expires or is revoked, the role is removed automatically.
Permissions
What Permissions Are
Permissions represent atomic actions in the system (for example: manage_users, view_reports). Permissions are grouped into roles but are never assigned directly to users.
Managing Permissions
Permissions are system-defined and tightly coupled to application behavior.
Important
Administrators should not create or modify permissions unless explicitly instructed by the Colabmacs development team. Custom permissions will not be recognized by the application.
Roles
Viewing Roles
Navigate to Authorization → Roles to view all available roles.
Roles represent collections of permissions that define what a user can do.
Common System Roles
| Role | Purpose |
|---|---|
admin | Full system access |
manager | Facility and operational management |
trainer | Training delivery and record management |
staff | Operational access |
user | Basic end-user access |
Permission Examples
Admin
- manage users
- manage roles
- manage resources
- manage trainings
- manage schedules
Trainer
- manage training sessions
- manage training records
- view schedules
User
- view resources
- create bookings
- view own usage
- view own training records
Creating and Managing Roles
When creating or editing a role:
- Choose a clear, descriptive name
- Assign only the permissions required for that responsibility
- Follow the principle of least privilege
Best Practice
Design roles around job functions, not individuals.
Flushing Permissions Cache
Due to permission caching, if you modify the permissions of a role, you will need to flush the cache in order for the changes to take immediate effect. To flush the permissions cache, navigate to Authorization → Roles or Authorization → Permissions and click the Flush Permissions Cache button.
Security
- Regularly audit role permissions
- Don't create overly broad roles
- Separate sensitive permissions (e.g., manage_roles, manage_users)
- Test role access before assigning to users
Using Roles with Access Rules
Both System Roles and Provided Roles can be referenced inside Access Rules.
Access Rules support parameters such as:
includeRolesexcludeRoles
These parameters allow rules to target:
- Users with specific system roles
- Users who currently hold a training-derived role
📎 See: Role-Based Rule Application
Example: Training-Gated Resource Access
Scenario:
- Resource: Laser Cutter
- Training: Laser Safety Certification
- Provided Role:
laser-certified
Access Rule Logic:
- Allow booking only if user has role
laser-certified
Result:
- User completes training → role is granted → booking allowed
- Training expires → role removed → booking blocked
No manual role changes required.
Key Distinctions (Summary)
| Concept | System Roles | Provided Roles |
|---|---|---|
| Assigned by admin | ✅ | ❌ |
| Derived from training | ❌ | ✅ |
| Long-lived | ✅ | ❌ |
| Used in access rules | ✅ | ✅ |
| Automatically revoked | ❌ | ✅ |
Frontend Visibility & Permissions
Many frontend UI elements are permission-aware.
Removing a view_* permission does not only restrict actions — it can hide entire sections of the user interface.
This behavior is intentional and supports a clean, least-privilege experience.
How This Works
- Navigation items are hidden if the user lacks
view_*permission - Dashboard widgets appear only when relevant permissions exist
- Tabs and panels may be completely removed from view
No data is deleted — it is simply not rendered.
Examples
view_downtimes
If removed:
- Downtime panel disappears from the User Dashboard
- Downtime section hidden from Resource detail pages
- User cannot see upcoming maintenance windows
view_requests
If removed:
- Requests menu item is hidden
- User cannot view submitted requests
- Comment threads are inaccessible
view_training_records
If removed:
- Training history is hidden from the user
- Training status indicators may not appear
- Can cause confusion if training is still required by Access Rules
Warning
A user may fail a booking rule due to missing training while being unable to see why
if view_training_records is removed.
Best Practices
- Treat
view_*permissions as UI visibility toggles - Test role changes using a non-admin account
- Use system roles for administrative authority
- Use training + provided roles for operational safety and access
- Never assign permissions directly to users
- Let training validity drive access wherever possible
Final Note
If you find yourself manually managing access frequently, it usually indicates a training or access-rule configuration opportunity.