Permissions
Understand and configure user permissions in Kuviq.
Overview
Kuviq uses a role-based access control (RBAC) system combined with location-based restrictions. This allows you to:
- Define what actions users can perform
- Control which resources users can access
- Restrict access to specific locations
- Maintain security while enabling productivity
Permission Model
Roles
Roles define the base permissions a user has:
| Role | Description |
|---|---|
| Super Admin | Complete system access including billing |
| Admin | Full operational access, no billing |
| Manager | Operational management, no configuration |
| User | Basic inspection and viewing access |
Resources
Permissions control access to these resources:
- Items - Equipment and assets
- Inspections - Inspection records and execution
- Users - User accounts and profiles
- Locations - Physical locations
- Manufacturers - Equipment manufacturers
- Item Types - Equipment categories
- Templates - Inspection templates
- Schedules - Inspection schedules
- Reports - Analytics and exports
- Settings - Organization configuration
- Admin - Administrative dashboard
Actions
For each resource, users may have different action permissions:
| Action | Description |
|---|---|
| Create | Add new records |
| Read | View existing records |
| Update | Modify records |
| Delete | Remove records |
| Execute | Perform actions (e.g., run inspections) |
| Export | Download data |
| Approve | Approve workflows |
Permission Matrix
Items
| Action | Super Admin | Admin | Manager | User |
|---|---|---|---|---|
| Create | Yes | Yes | Yes | Yes |
| Read | All | All | All | Assigned |
| Update | Yes | Yes | Yes | Own |
| Delete | Yes | Yes | No | No |
| Export | Yes | Yes | Yes | No |
Inspections
| Action | Super Admin | Admin | Manager | User |
|---|---|---|---|---|
| Create | Yes | Yes | Yes | Yes |
| Read | All | All | All | Own |
| Update | Yes | Yes | Yes | Own |
| Delete | Yes | Yes | No | No |
| Execute | Yes | Yes | Yes | Yes |
| Export | Yes | Yes | Yes | No |
Users
| Action | Super Admin | Admin | Manager | User |
|---|---|---|---|---|
| Create | Yes | Yes | No | No |
| Read | All | All | All | Own |
| Update | Yes | Yes | No | Own |
| Delete | Yes | Yes | No | No |
Configuration (Item Types, Templates, etc.)
| Action | Super Admin | Admin | Manager | User |
|---|---|---|---|---|
| Create | Yes | Yes | No | No |
| Read | Yes | Yes | Yes | Yes |
| Update | Yes | Yes | No | No |
| Delete | Yes | Yes | No | No |
Billing & Subscription
| Action | Super Admin | Admin | Manager | User |
|---|---|---|---|---|
| View | Yes | No | No | No |
| Manage | Yes | No | No | No |
Location-Based Access
How It Works
Users can be restricted to specific locations:
-
When a user has location restrictions, they only see:
- Items at their assigned locations
- Inspections for items at their locations
- Users at their locations
-
Users without location restrictions see everything (based on role)
Setting Location Restrictions
- Navigate to Admin > Users
- Edit the user
- Under Locations, select allowed locations
- Save changes
Location Hierarchy
If you assign a parent location, the user sees:
- The parent location
- All child locations under it
Example: Assigning "Main Building" includes "Floor 1", "Floor 2", etc.
Who Should Have Restrictions
| Scenario | Recommendation |
|---|---|
| Single site | No restrictions needed |
| Multi-site, shared management | No restrictions for managers |
| Multi-site, separate management | Restrict managers to their sites |
| Field inspectors | Restrict to their work areas |
Changing Permissions
Changing User Roles
- Go to Admin > Users
- Click on the user
- Click Edit
- Select a new role
- Save
Changes take effect immediately.
Adding Location Restrictions
- Edit the user
- Under Locations, select locations
- Save
Removing Location Restrictions
- Edit the user
- Clear all location selections
- Save
The user now has access to all locations (per their role).
Permission Inheritance
Role Hierarchy
Higher roles include lower role permissions:
Super Admin
↓
Admin (includes Manager + Admin-only)
↓
Manager (includes User + Manager-only)
↓
User (base permissions)
Self-Service Permissions
All users can always:
- View their own profile
- Edit their own profile information (name, phone, title)
- Change their own password
- View their own inspection history
They cannot:
- Change their own role
- Change their own permissions
- Change their own location restrictions
Security Considerations
Principle of Least Privilege
Grant users the minimum permissions needed:
- Start with the User role
- Add Manager if operational oversight needed
- Use Admin only for those who configure the system
- Reserve Super Admin for billing managers
Regular Audits
Periodically review:
- Who has Admin/Super Admin access
- Users with no location restrictions
- Inactive users who still have access
- Users who have changed roles
Sensitive Operations
These require Admin or Super Admin:
- Deleting items or inspections
- Changing configuration
- Managing users
- Exporting data
Approval Workflows
For additional oversight on sensitive operations, you can configure approval workflows. These require designated approvers to authorize actions before they are executed.
Common use cases:
- Deleting high-value items
- Removing user accounts
- Changing inspection templates
See Approval Workflows for configuration details.
Troubleshooting
User Can't Access a Feature
- Check their role has the permission
- Check location restrictions aren't blocking access
- Verify the feature is available on your plan
User Sees Too Much Data
- Add location restrictions
- Consider changing to a lower role
- Review what data is at their assigned locations
Permission Changes Not Working
- Have the user refresh their browser
- Have them log out and back in
- Check the change was saved correctly
Best Practices
For Small Teams
- Use Admin for owners/managers
- Use Manager for supervisors
- Use User for inspectors
- Location restrictions usually not needed
For Large Organizations
- Limit Super Admin to 1-2 people
- Use Admin sparingly
- Assign Managers to departments
- Use location restrictions for site separation
For Compliance
- Document who has elevated access
- Audit permissions quarterly
- Remove access promptly when roles change
- Use location restrictions for data segregation
Next Steps
- Users - Managing user accounts
- Locations - Setting up location hierarchy
- Roles - Detailed role descriptions
- Approval Workflows - Require approval for sensitive actions