Role-Based Access Control (RBAC) Documentation
1️.Overview
This document explains the Role-Based Access Control (RBAC) initialization process implemented in the initialize_tenant_rbac function.
The system automatically sets up:
- RBAC Categories
- Modules
- Permissions
- Roles
- Default Administrator User
- Default Rate Codes (via core-service API)
When a new tenant is created, this method ensures a fully functional access control system.
2️.RBAC Architecture
The RBAC system follows this hierarchy:
- Category
- Module
- Permission (view/create/edit/delete)
- Role
- User
3️. RBAC Categories
Modules are grouped into categories for plan-based access control.
Categories Available:
| Category Name | Purpose |
|---|---|
| General | Core system modules |
| Integration | API & external integration modules |
| Time | Time tracking & payroll modules |
| Schedule | Scheduling system |
| WBS | Work Breakdown Structure |
| Budget | Budget management |
| Analytical | Reporting & analytics modules |
If rbac_category_ids is:
- Provided → Only selected category modules are seeded.
- Empty / None → Only General category modules are seeded.
4️. RBAC Modules
Each module belongs to a category and contains permissions.
General Category Modules
- Users
- Dashboard
- Administration
- Configuration
- Business Partner
- Employee
- Permissions
- Employee Rate
- Job
- Phases
- Cost Codes
- Units
- Dynamic Fields
- Message Templates
- Workflow
- Task Schedulers
- Divisions
- Branches
- Departments
- RBAC Modules
- RBAC Permissions
- RBAC Roles
- Audit Logs
- Expanse
Integration Category Modules
- API Keys and Logs
- Integrations
Time Category Modules
- Real Time
- Manual Time
- Time Sheet
- Time Sheet Pay Entry
- Time Editor
- Time Process
- Time Setup
- Payroll Reports
Schedule Category Modules
- Schedule
WBS Category Modules
- WBS
- WBS Setup
Budget Category Modules
- Budget
Analytical Modules
- Time Analytical
- WBS Analytical
- Budget Analytical
- Schedule Analytical
5️. Permissions Structure
Each module gets standard CRUD permissions:
Example:
For Users module:
users_viewusers_createusers_editusers_delete
For Job module:
job_viewjob_createjob_editjob_delete
Reports generally have:
viewonly permission
6️. Roles Created
The system automatically creates the following roles:
1. Administrator
Description: Full system access
- All permissions across all modules
- Complete system control
2. HR
Description: HR Manager
Typical access includes:
- Employee management
- Time setup
- Schedule management
3. Manager
Description: Business/Project Manager
Typical access includes:
- WBS
- Dashboard
- Project-related modules
4. Supervisor
Description: Site/Operational Supervisor
Typical access:
- WBS view/edit
- Dashboard view
5. Staff
Description: Office Staff
Limited access:
- View modules
- Reports
6. Worker
Description: Field Worker
Very restricted access:
- Assigned tasks
- Personal information
7️. Admin User Creation
If the admin email does not exist:
- A secure 16-character password is generated
- Administrator role is assigned
- User is created automatically
If admin already exists:
- User creation is skipped
8️. Secure Password Generation
Password rules:
- Minimum 16 characters
- Includes:
- Uppercase
- Lowercase
- Numbers
- Special characters
Uses secrets module for cryptographic randomness.