Understanding Roles
Roles control what actions users can perform in the system. Understanding roles is essential for managing access securely across your organization.
Why Roles Matter
Section titled “Why Roles Matter”Roles protect your data by ensuring users can only access and modify what they need for their job. Rather than managing permissions for each individual user and each asset, you assign a role that grants appropriate access.
Example: A contractor might have “Editor” access to specific sites they’re working on, but only “Viewer” access to historical data at other sites.
Two Permission Systems
Section titled “Two Permission Systems”CO2 Asset Management uses two complementary permission systems:
| System | What It Controls | Where It’s Managed |
|---|---|---|
| System Roles | Platform-wide access (admin features, user management) | User Management screen |
| Resource Roles | Access to specific estates, sites, layers | Estate/Site permissions screens |
Estate Roles
Section titled “Estate Roles”Estate roles determine what a user can do within an entire estate (property portfolio). This is the broadest permission level.
| Role | What You Can Do | Best For |
|---|---|---|
| Owner | Full control including deleting the estate | Property owner, executive decision-maker |
| Admin | Manage settings, invite users, control all sites | Facilities manager, operations director |
| Editor | Create and edit assets, upload plans, manage content | Team members creating/updating data |
| Viewer | View-only access to all estate data | Stakeholders, auditors, consultants |
When to Use Each Role
Section titled “When to Use Each Role”- Owner: The person ultimately responsible for the property portfolio. Rarely changed after estate creation.
- Admin: Property managers and team leads who need to invite others and manage settings.
- Editor: Anyone who needs to add or modify assets, floor plans, or other content.
- Viewer: Anyone who needs to see the data but shouldn’t change it.
Site Roles
Section titled “Site Roles”Site roles provide more granular access to individual locations within an estate. A user can have different roles at different sites.
| Role | What You Can Do | Best For |
|---|---|---|
| Admin | Full management of the site, can add/remove users | Site supervisor, head of operations |
| Editor | Create and modify assets, floor plans, content | Team members working at this site |
| Viewer | View-only access to site data | Contractors, inspectors, visitors |
Important: Estate Access Required First
Section titled “Important: Estate Access Required First”How Estate and Site Roles Interact
Section titled “How Estate and Site Roles Interact”A user’s effective permissions are limited by their estate role:
| Estate Role | Site Role | What They Can Actually Do |
|---|---|---|
| Viewer | Editor | View only (estate role limits them) |
| Editor | Editor | Edit at this site |
| Editor | Viewer | View at this site, edit elsewhere |
| Admin | Editor | Edit at this site, admin elsewhere |
The more restrictive role wins. If someone is an Estate Viewer, they can only view - even if they’re a Site Editor.
Layer and Feature Roles
Section titled “Layer and Feature Roles”For the most granular control, you can manage access to specific visual layers (Electrical, HVAC, etc.) and advanced features.
| Role | What It Means |
|---|---|
| Admin | Full control of the layer/feature |
| Editor | Create and modify content |
| Viewer | View-only access |
| None | Explicitly denied access |
When to Use Layer Permissions
Section titled “When to Use Layer Permissions”- Different teams manage different systems - HVAC team only sees HVAC layer
- Sensitive information - Hide certain layers from contractors
- Advanced features - Restrict access to specific tools
Role Hierarchy
Section titled “Role Hierarchy”Roles follow a clear hierarchy. Each higher role automatically includes all permissions of lower roles.
Owner (Most Permissions) ↓Admin ↓Editor ↓Viewer ↓None (No Access)What This Means in Practice
Section titled “What This Means in Practice”If you grant Sarah Editor access to an estate:
- Sarah can create new assets (Editor permission)
- Sarah can edit existing assets (Editor permission)
- Sarah can view all assets (inherited from Viewer level)
If you later change Sarah to Viewer access:
- Sarah can still view all assets
- Sarah can no longer create or edit - she loses Editor permissions
Quick Reference
Section titled “Quick Reference”| Question | Answer |
|---|---|
| Who can invite users? | Estate Owners and Admins |
| Who can delete an estate? | Only the Owner |
| Can I have different roles at different sites? | Yes |
| Do I need estate access for site access? | Yes, at least Viewer |
| What happens if I have conflicting roles? | The more restrictive role wins |
Related
Section titled “Related”- Granting Access - How to invite users and assign roles
- Permission Scopes - How permissions cascade across resources