RBAC Permission Matrix
Role-Based Access Control (RBAC) defines what actions each user role can perform on system resources.
resource:action:scope
- resource: The system entity (user, pond, device, etc.)
- action: What operation (read, create, update, delete, control, *)
- scope: Data visibility level
system - Platform-wide (Super Admin only)
all - All data within organization
own - Only data created by user
assigned - Only resources explicitly assigned to user
Roles Overview
| Role |
ID |
Description |
| Super Admin |
...000001 |
Platform operator (HMP staff) - full system access |
| Admin |
...000002 |
Organization manager - manages users, settings, all org data |
| Owner |
...000003 |
Pond owner/supervisor - manages assigned ponds, records data |
| Staff |
...000004 |
Field worker - records daily logs, growth measurements |
| Technical |
...000005 |
Device technician - installs and maintains IoT devices |
Permission Matrix by Resource
User Management
| Action |
Super Admin |
Admin |
Owner |
Staff |
Technical |
| View all users |
✅ |
❌ |
❌ |
❌ |
❌ |
| View org users |
✅ |
✅ |
❌ |
❌ |
❌ |
| Create users |
✅ |
✅ |
❌ |
❌ |
❌ |
| Update users |
✅ |
✅ |
❌ |
❌ |
❌ |
| Delete users |
✅ |
✅ |
❌ |
❌ |
❌ |
Role Management
| Action |
Super Admin |
Admin |
Owner |
Staff |
Technical |
| View roles |
✅ |
✅ |
❌ |
❌ |
❌ |
| Create roles |
✅ |
✅ |
❌ |
❌ |
❌ |
| Update roles |
✅ |
✅ |
❌ |
❌ |
❌ |
| Delete roles |
✅ |
✅ |
❌ |
❌ |
❌ |
Organization
| Action |
Super Admin |
Admin |
Owner |
Staff |
Technical |
| View any org |
✅ |
❌ |
❌ |
❌ |
❌ |
| View own org |
✅ |
✅ |
✅ |
❌ |
❌ |
| Update own org |
✅ |
✅ |
❌ |
❌ |
❌ |
| Delete org |
✅ |
✅ |
❌ |
❌ |
❌ |
Farm Areas
| Action |
Super Admin |
Admin |
Owner |
Staff |
Technical |
| View all areas |
✅ |
✅ |
❌ |
❌ |
✅ |
| View assigned areas |
❌ |
❌ |
✅ |
✅ |
❌ |
| Create areas |
✅ |
✅ |
❌ |
❌ |
❌ |
| Update areas |
✅ |
✅ |
❌ |
❌ |
❌ |
| Delete areas |
✅ |
✅ |
❌ |
❌ |
❌ |
Ponds
| Action |
Super Admin |
Admin |
Owner |
Staff |
Technical |
| View all ponds |
✅ |
✅ |
❌ |
❌ |
✅ |
| View assigned ponds |
❌ |
❌ |
✅ |
✅ |
❌ |
| Create ponds |
✅ |
✅ |
❌ |
❌ |
❌ |
| Update ponds |
✅ |
✅ |
✅ |
❌ |
❌ |
| Delete ponds |
✅ |
✅ |
❌ |
❌ |
❌ |
Farming Cycles
| Action |
Super Admin |
Admin |
Owner |
Staff |
Technical |
| View cycles |
✅ |
✅ |
✅ |
✅ |
❌ |
| Create cycles |
✅ |
✅ |
✅ |
❌ |
❌ |
| Update cycles |
✅ |
✅ |
✅ |
❌ |
❌ |
| Delete cycles |
✅ |
✅ |
✅ |
❌ |
❌ |
| Complete cycles |
✅ |
✅ |
✅ |
❌ |
❌ |
Daily Logs
| Action |
Super Admin |
Admin |
Owner |
Staff |
Technical |
| View logs |
✅ |
✅ |
✅ |
❌ |
❌ |
| Create logs |
✅ |
✅ |
✅ |
✅ |
❌ |
| Update logs |
✅ |
✅ |
✅ |
✅ |
❌ |
| Delete logs |
✅ |
✅ |
✅ |
❌ |
❌ |
Growth Records
| Action |
Super Admin |
Admin |
Owner |
Staff |
Technical |
| View records |
✅ |
✅ |
✅ |
❌ |
❌ |
| Create records |
✅ |
✅ |
✅ |
✅ |
❌ |
| Update records |
✅ |
✅ |
✅ |
✅ |
❌ |
| Delete records |
✅ |
✅ |
✅ |
❌ |
❌ |
IoT Devices
| Action |
Super Admin |
Admin |
Owner |
Staff |
Technical |
| View all devices |
✅ |
✅ |
❌ |
❌ |
✅ |
| View assigned devices |
❌ |
❌ |
✅ |
✅ |
❌ |
| Create devices |
✅ |
✅ |
❌ |
❌ |
❌ |
| Configure devices |
✅ |
✅ |
❌ |
❌ |
✅ |
| Delete devices |
✅ |
✅ |
❌ |
❌ |
❌ |
| Control devices |
✅ |
✅ |
❌ |
❌ |
❌ |
Inventory
| Action |
Super Admin |
Admin |
Owner |
Staff |
Technical |
| View inventory |
✅ |
✅ |
✅ |
✅ |
❌ |
| Manage items |
✅ |
✅ |
❌ |
❌ |
❌ |
| View transactions |
✅ |
✅ |
✅ |
✅ |
❌ |
| Create transactions |
✅ |
✅ |
✅ |
❌ |
❌ |
Warehouses
| Action |
Super Admin |
Admin |
Owner |
Staff |
Technical |
| View warehouses |
✅ |
✅ |
✅ |
❌ |
❌ |
| Manage warehouses |
✅ |
✅ |
❌ |
❌ |
❌ |
Suppliers
| Action |
Super Admin |
Admin |
Owner |
Staff |
Technical |
| View suppliers |
✅ |
✅ |
✅ |
❌ |
❌ |
| Manage suppliers |
✅ |
✅ |
❌ |
❌ |
❌ |
Financial
| Action |
Super Admin |
Admin |
Owner |
Staff |
Technical |
| View financials |
✅ |
✅ |
✅ |
❌ |
❌ |
| Record expenses |
✅ |
✅ |
✅ |
❌ |
❌ |
| Record revenues |
✅ |
✅ |
✅ |
❌ |
❌ |
| Delete records |
✅ |
✅ |
❌ |
❌ |
❌ |
Reports
| Action |
Super Admin |
Admin |
Owner |
Staff |
Technical |
| View all reports |
✅ |
✅ |
❌ |
❌ |
❌ |
| View assigned reports |
❌ |
❌ |
✅ |
❌ |
❌ |
Species
| Action |
Super Admin |
Admin |
Owner |
Staff |
Technical |
| View species |
✅ |
✅ |
✅ |
✅ |
✅ |
| Manage species |
✅ |
✅ |
❌ |
❌ |
❌ |
Role Responsibilities
Who: HMP IoT staff managing the entire platform
Can do:
- Access any organization in the system
- Create/delete organizations
- Manage all users across the platform
- Full access to all resources system-wide
Admin (Organization Manager)
Who: Farm owner or general manager of the organization
Can do:
- Manage users within their organization
- Create and configure areas, ponds, devices
- Manage inventory, warehouses, suppliers
- Record and view all financial data
- Access all reports
Owner (Pond Owner/Supervisor)
Who: Individual pond owner or supervisor responsible for specific ponds
Can do:
- View and update their assigned ponds
- Create and manage farming cycles for assigned ponds
- Record daily logs and growth measurements
- View inventory and request stock usage
- Record operational expenses and revenues
- Cannot: Access financial data of other owners, manage users
Staff (Field Worker)
Who: Daily worker performing pond operations
Can do:
- View assigned ponds and areas
- Record daily logs and growth measurements
- View inventory levels
- Cannot: Access financial data, manage cycles, configure devices
Technical (Device Technician)
Who: IoT device installer and maintenance technician
Can do:
- View all areas and ponds (to locate devices)
- View all devices in the organization
- Configure and update device settings
- Cannot: Record farm data, access financial/inventory
Scope Hierarchy
system > all > own > assigned
- Users with higher scope automatically have access to lower scopes
* wildcard in action means all actions (read, create, update, delete)
assigned scope uses assignedResources array in user_roles table
Implementation Notes
- Multi-tenant isolation: All roles except Super Admin are restricted to their organization
- Assigned resources: Owner and Staff roles are further filtered by
assignedResources (pond IDs)
- Permission evaluation: Uses
AuthorizationPolicyService.hasPermission() method
- Database: Permissions stored as JSONB in
roles.permissions column