π User Role System & Hierarchy
βΉοΈ Role-Based Access Control: EcoHexagon implements a hierarchical RBAC system with four distinct user roles: Full Access > Admin > Project Manager > Team Member
Role Hierarchy Overview
βΌ
π€
Level 1
Team Member
Basic user access
- Assigned tasks only
- Personal productivity
- Limited access
π¨βπΌ
Level 2
Project Manager
Project-specific management
- Managed projects
- Team coordination
- Project financials
βοΈ
Level 3
Admin
Platform administration
- System configuration
- User management
- Most settings
π
Level 4
Full Access
Complete platform access
- Unrestricted access
- System maintenance
- No restrictions
π€ Team Member (Basic Role)
βΌ
Permission Level: Basic user access
Typical Users: General staff, contractors, part-time workers
Access Capabilities
- β Task Management: View and manage assigned tasks only
- β Time Tracking: Submit timesheets and track personal time
- β Project Access: Access assigned projects and related information
- β Client Information: View client information for assigned projects
- β Team Communication: Participate in team communications
- β Productivity Tools: Access personal productivity tools (notes, to-do, reminders)
Access Restrictions
- β User Management: Cannot manage other users or change permissions
- β Administration: No access to administrative settings
- β Financial Data: Cannot view financial information (invoices, payments)
- β Reporting: Limited reporting access (personal reports only)
- β Project Creation: Cannot create or manage projects independently
β
Ideal For: General employees, freelancers and contractors, junior team members, task-focused roles
π¨βπΌ Project Manager (Mid-Level Role)
βΌ
Permission Level: Project-specific management
Typical Users: Team leads, department heads, project coordinators
Access Capabilities
- β Project Management: Full access to managed projects and their resources
- β Team Management: Manage project team members and assignments
- β Task Creation: Create and assign tasks within projects
- β Project Financials: View and manage project-related financial information
- β Project Reporting: Access project-specific reports and analytics
- β Timeline Management: Manage project timelines and deadlines
- β Stakeholder Communication: Communicate with project stakeholders
Access Restrictions
- β Project Scope: Cannot access projects not under their management
- β Company Financials: Limited access to company-wide financial data
- β User Permissions: Cannot change user roles or permissions
- β System Administration: No access to system administration settings
- β Module Management: Cannot manage company-wide modules or integrations
β
Ideal For: Project managers, team leaders, department supervisors, client relationship managers
βοΈ Admin (Administrative Role)
βΌ
Permission Level: Platform administration
Typical Users: IT administrators, operations managers, senior staff
Access Capabilities
- β Platform Settings: Access to most platform settings and configurations
- β User Management: User management and role assignment (except Full Access role)
- β System Configuration: System configuration and customization
- β Business Data: Access to all projects, clients, and business data
- β Analytics: Comprehensive reporting and analytics access
- β Integrations: Email and integration management
- β Module Control: Module activation and deactivation
Access Restrictions
- β Full Access Users: Cannot create other Full Access users
- β System-Level Functions: Limited access to certain system-level functions
- β Financial Controls: May not have access to all financial controls
- β Backup Operations: Cannot perform certain backup/restore operations
β
Ideal For: System administrators, operations managers, senior supervisors, IT support staff
π Full Access (Highest Permission Level)
βΌ
Permission Level: Complete platform access
Typical Users: Company owners, executive leadership, system owners
Access Capabilities
- β Unrestricted Access: Unrestricted access to all platform functionality
- β Complete User Management: Complete user management including role assignments
- β System-Level Configuration: System-level configuration and maintenance
- β All Business Data: All financial and business data access
- β System Maintenance: Backup, restore, and system maintenance operations
- β Complete Settings: Complete settings and integration management
- β Security Access: Audit trail and security log access
Access Restrictions
π No Restrictions: Full Access role has complete system access with no functional limitations.
β οΈ Security Note: Full Access should be limited to company owners and primary system administrators due to unrestricted access capabilities.
β
Ideal For: Company owners and executives, primary system administrators, senior management, business owners
βοΈ User Account Configuration
βΉοΈ Account Management: Configure user accounts through Team Members β [User] β Account Settings tab with comprehensive control over user access and security.
Account Settings Interface
βΌNavigation Path
Team Members β [Select User] β Account Settings tab
Interface Elements
- π Basic Account Information: Edit user details and contact information
- π Role Assignment Controls: Manage user permission levels
- π Account Status Management: Control login and activity status
- π Password Management: Reset and update user passwords
- πΎ Save Functionality: Apply all configuration changes
Basic Account Information
βΌEmail Configuration
Example: ajpoliters@gmail.com
- π― Purpose: Primary login credential and communication address
- π Requirements: Valid email format, unique across platform
- β‘ Impact: Changes affect login and email notifications
Email Configuration Steps
- Navigate to user's account settings
- Update email address in email field
- Verify email format is correct
- Save changes
- User should verify email access for notifications
Password Management
- π Password Field: Secure password input (masked)
- π Retype Password: Confirmation field for security
- π‘οΈ Security: Passwords are encrypted and securely stored
π Password Best Practices:
- Minimum 8 characters recommended
- Include uppercase, lowercase, numbers, and symbols
- Avoid common words or personal information
- Regular password updates recommended
Role Assignment Management
βΌRole Selection Interface
- π Control Type: Dropdown selector
- π― Available Options: All four role types
- π€ Current Selection: Displays user's current role
- π§ Purpose: Assign appropriate permission level to user
Role Assignment Process
- Assess User Needs: Determine appropriate role based on job function
- Select Role: Choose from dropdown menu
- Consider Impact: Review permissions being granted or removed
- Apply Changes: Save configuration to activate new role
- Verify Access: Confirm user has appropriate access
Role Change Considerations
- β¬οΈ Permission Inheritance: Higher roles include all lower role permissions
- β‘ Immediate Effect: Changes apply immediately after saving
- π Session Impact: User may need to log out and back in
- π Training Needs: Users may need training for expanded access
Account Status Controls
βΌLogin Status Management
Disable Login Checkbox
Purpose: Temporarily prevent user access without deleting account
Use Cases for Disabling Login
- βΈοΈ Temporary Suspension: Short-term access restriction
- ποΈ Leave of Absence: Extended time away from work
- π Security Concerns: Potential security incident investigation
- π§ Account Under Review: Account maintenance or evaluation
Activity Status Management
Mark as Inactive Checkbox
Purpose: Set user account to inactive status while preserving data
Status Control Differences
π«
Disable Login
- Prevents access to platform
- Keeps user "active" in system
- Maintains data associations
- Reversible by unchecking
π΄
Mark Inactive
- Changes user status to inactive
- Affects reporting and visibility
- User data remains accessible
- System treats as inactive user
π Comprehensive Permission Matrix
βΉοΈ Permission Overview: Detailed access control matrix showing exactly what each role can access across all platform modules and administrative functions.
Module Access Permissions
βΌ| Module/Feature | Team Member | Project Manager | Admin | Full Access |
|---|---|---|---|---|
| Dashboard | β Personal view | β Project view | β Company view | β Complete access |
| Projects | β Assigned only | β Managed projects | β All projects | β All projects |
| Tasks | β Personal tasks | β Project tasks | β All tasks | β All tasks |
| Clients | β View only | β Project clients | β All clients | β All clients |
| Invoices | β No access | β Project invoices | β All invoices | β All invoices |
| Orders | β No access | β Project orders | β All orders | β All orders |
| Contracts | β No access | β View only | β Manage all | β Manage all |
| Estimates | β No access | β Project estimates | β All estimates | β All estimates |
| Team Members | β View only | β Project team | β All users | β All users |
| Reports | β Personal only | β Project reports | β All reports | β All reports |
| Settings | β No access | β No access | β Most settings | β All settings |
| File Manager | β Personal files | β Project files | β All files | β All files |
| Messages | β Personal | β Team messages | β All messages | β All messages |
Administrative Functions Matrix
βΌ| Administrative Function | Team Member | Project Manager | Admin | Full Access |
|---|---|---|---|---|
| User Management | β | β | β | β |
| Role Assignment | β | β | β Limited | β Complete |
| System Settings | β | β | β | β |
| Integration Configuration | β | β | β | β |
| Email Settings | β | β | β | β |
| Module Management | β | β | β | β |
| Permission Configuration | β | β | β | β |
| Backup/Restore | β | β | β | β |
| System Maintenance | β | β | β | β |
| Security Logs | β | β | β Limited | β Complete |
π Legend:
- β - Full access to function
- β Limited - Restricted access (some limitations apply)
- β - No access to function
π Permission Workflows & Security Management
User Creation & Setup Workflow
βΌNew User Setup Process
- Plan User Role: Determine appropriate permission level
- Navigate to Team Members: Access user management section
- Add New Member: Click "Add Member" or similar button
- Enter Basic Information:
- Full name
- Email address
- Initial password
- Assign Role: Select appropriate role from dropdown
- Configure Account Status: Set login and activity status
- Save Configuration: Apply user settings
- Communicate Credentials: Securely share login information
- Provide Training: Orient user to their access level and responsibilities
Initial User Training Checklist
- β Platform Login: Platform login and navigation
- β Role-Specific Access: Role-specific feature access
- β Available Modules: Available modules and tools
- β Reporting: Reporting capabilities
- β Communication: Communication channels
- β Support Resources: Support and help resources
Permission Modification Workflow
βΌChanging User Roles
- Assess Need for Change: Determine why role change is needed
- Access User Account: Navigate to Team Members β User β Account Settings
- Review Current Permissions: Understand current access level
- Select New Role: Choose appropriate new role from dropdown
- Consider Impact:
- What access is being gained?
- What access is being lost?
- Does user need training?
- Apply Changes: Save new role configuration
- Verify Access: Confirm user has appropriate new permissions
- Provide Training: Train user on new capabilities if applicable
- Document Change: Record reason for role change
Permission Troubleshooting
β
User Cannot Access Feature
- Verify user's role includes required permissions
- Check if related module is enabled
- Confirm user's account status is active
- Verify feature is available in current plan
β οΈ
User Has Too Much Access
- Review user's role assignment
- Consider changing to more restrictive role
- Disable specific permissions if needed
- Monitor user activity for compliance
Security Management Controls
βΌAccount Security Scenarios
βΈοΈ
Temporary Access Restrictions
Scenario: User needs temporary access suspension
Steps:
- Access user account settings
- Check "Disable Login" option
- Save changes
- Document reason for suspension
- Set reminder to re-enable when appropriate
πͺ
Account Deactivation
Scenario: User leaving organization
Steps:
- Change role to Team Member (minimal access)
- Check "Mark as Inactive" option
- Check "Disable Login" option
- Save changes
- Transfer critical data ownership
- Document deactivation date and reason
π
Password Reset Process
Scenario: User forgot password or security concern
Steps:
- Access user account settings
- Generate new temporary password
- Enter password in both password fields
- Save changes
- Securely communicate new password to user
- Require user to change password on next login
Access Control Best Practices
βΌRegular Permission Audits
- π Monthly Review: Check user roles align with job functions
- π Quarterly Audit: Comprehensive permission review
- π Annual Assessment: Full security and access evaluation
- π Change-Based Review: Review permissions when roles change
Security Monitoring
- π Login Monitoring: Track user login patterns
- π Permission Changes: Log all role and permission modifications
- π Unusual Activity: Monitor for suspicious access patterns
- β Failed Attempts: Track failed login attempts
Client Portal Access Management
βΌClient Portal Invitation System
Location: /clients/view/[client_id]
Key Features
- π§ Invitation System: Send invitation system for client portal access
- ποΈ Data Visibility: Client-specific data visibility controls
- π Access Tabs: Multiple access tabs for different client needs
- π Integration: Client management tools integration
Client Permission Scope
β
Clients Can Access
- Their own project information
- Personal invoices and payment history
- Relevant documents and files
- Communication history
- Order and estimate status
β
Clients Cannot Access
- Other clients' information
- Internal team communications
- Administrative functions
- Sensitive business data
- System configuration settings
π Security Considerations:
- Limited access - clients only see their own data
- Secure authentication with strong password requirements
- Session management with automatic logout for security
- Client data properly secured and protected
Common Permission Issues & Solutions
βΌUser Cannot See Expected Features
π
Possible Causes
- Insufficient role permissions
- Module not enabled
- Account status issues
- Browser/cache problems
π§
Resolution Steps
- Verify user's role and permissions
- Check module activation status
- Confirm account is active with login enabled
- Clear browser cache and retry
- Test with different browser/device
Permission Changes Not Taking Effect
β
Possible Causes
- User still logged in with old session
- Browser cache issues
- System sync delays
β
Resolution Steps
- Ask user to log out and back in
- Clear browser cache
- Wait a few minutes for system sync
- Verify changes were saved correctly