RBAC Permission Matrix

Role-Based Access Control (RBAC) defines what actions each user role can perform on system resources.

Permission Format

resource:action:scope
  • resource: The system entity (user, pond, device, etc.)
  • action: What operation (read, create, update, delete, control, *)
  • scope: Data visibility level
    • system - Platform-wide (Super Admin only)
    • all - All data within organization
    • own - Only data created by user
    • assigned - Only resources explicitly assigned to user

Roles Overview

Role ID Description
Super Admin ...000001 Platform operator (HMP staff) - full system access
Admin ...000002 Organization manager - manages users, settings, all org data
Owner ...000003 Pond owner/supervisor - manages assigned ponds, records data
Staff ...000004 Field worker - records daily logs, growth measurements
Technical ...000005 Device technician - installs and maintains IoT devices

Permission Matrix by Resource

User Management

Action Super Admin Admin Owner Staff Technical
View all users
View org users
Create users
Update users
Delete users

Role Management

Action Super Admin Admin Owner Staff Technical
View roles
Create roles
Update roles
Delete roles

Organization

Action Super Admin Admin Owner Staff Technical
View any org
View own org
Update own org
Delete org

Farm Areas

Action Super Admin Admin Owner Staff Technical
View all areas
View assigned areas
Create areas
Update areas
Delete areas

Ponds

Action Super Admin Admin Owner Staff Technical
View all ponds
View assigned ponds
Create ponds
Update ponds
Delete ponds

Farming Cycles

Action Super Admin Admin Owner Staff Technical
View cycles
Create cycles
Update cycles
Delete cycles
Complete cycles

Daily Logs

Action Super Admin Admin Owner Staff Technical
View logs
Create logs
Update logs
Delete logs

Growth Records

Action Super Admin Admin Owner Staff Technical
View records
Create records
Update records
Delete records

IoT Devices

Action Super Admin Admin Owner Staff Technical
View all devices
View assigned devices
Create devices
Configure devices
Delete devices
Control devices

Inventory

Action Super Admin Admin Owner Staff Technical
View inventory
Manage items
View transactions
Create transactions

Warehouses

Action Super Admin Admin Owner Staff Technical
View warehouses
Manage warehouses

Suppliers

Action Super Admin Admin Owner Staff Technical
View suppliers
Manage suppliers

Financial

Action Super Admin Admin Owner Staff Technical
View financials
Record expenses
Record revenues
Delete records

Reports

Action Super Admin Admin Owner Staff Technical
View all reports
View assigned reports

Species

Action Super Admin Admin Owner Staff Technical
View species
Manage species

Role Responsibilities

Super Admin (Platform Operator)

Who: HMP IoT staff managing the entire platform
Can do:

  • Access any organization in the system
  • Create/delete organizations
  • Manage all users across the platform
  • Full access to all resources system-wide

Admin (Organization Manager)

Who: Farm owner or general manager of the organization
Can do:

  • Manage users within their organization
  • Create and configure areas, ponds, devices
  • Manage inventory, warehouses, suppliers
  • Record and view all financial data
  • Access all reports

Owner (Pond Owner/Supervisor)

Who: Individual pond owner or supervisor responsible for specific ponds
Can do:

  • View and update their assigned ponds
  • Create and manage farming cycles for assigned ponds
  • Record daily logs and growth measurements
  • View inventory and request stock usage
  • Record operational expenses and revenues
  • Cannot: Access financial data of other owners, manage users

Staff (Field Worker)

Who: Daily worker performing pond operations
Can do:

  • View assigned ponds and areas
  • Record daily logs and growth measurements
  • View inventory levels
  • Cannot: Access financial data, manage cycles, configure devices

Technical (Device Technician)

Who: IoT device installer and maintenance technician
Can do:

  • View all areas and ponds (to locate devices)
  • View all devices in the organization
  • Configure and update device settings
  • Cannot: Record farm data, access financial/inventory

Scope Hierarchy

system > all > own > assigned
  • Users with higher scope automatically have access to lower scopes
  • * wildcard in action means all actions (read, create, update, delete)
  • assigned scope uses assignedResources array in user_roles table

Implementation Notes

  1. Multi-tenant isolation: All roles except Super Admin are restricted to their organization
  2. Assigned resources: Owner and Staff roles are further filtered by assignedResources (pond IDs)
  3. Permission evaluation: Uses AuthorizationPolicyService.hasPermission() method
  4. Database: Permissions stored as JSONB in roles.permissions column