Permission Scopes
Permissions in CO2 Asset Management follow a hierarchy—from broad estate-level access down to specific sites and layers. Understanding permission scopes helps you grant the right level of access to the right people.
Why Scopes Matter
Section titled “Why Scopes Matter”Different users need different levels of access to different parts of your estate portfolio. Rather than giving everyone access to everything, scopes let you be precise:
- A contractor working on Building A doesn’t need to see Building B
- A team lead manages multiple sites but shouldn’t see historical data from sold properties
- An auditor needs to view everything but shouldn’t modify anything
By scoping permissions carefully, you protect sensitive information and reduce mistakes from accidental changes.
The Permission Hierarchy
Section titled “The Permission Hierarchy”Permissions flow downward from broad to specific:
Estate├── All Sites (Estate Admin can see all)│ ├── Site 1│ │ ├── Floor Plans (layers)│ │ └── Assets on those plans│ └── Site 2│ └── Similar structure├── Advanced Features (e.g., reports, analytics)└── Asset CataloguesKey concept: A user’s most restrictive role wins. If someone is an Estate Viewer, they can only view—even if you grant them Site Editor access.
Estate Scope
Section titled “Estate Scope”Estate permissions are the foundation. They determine what a user can do across your entire property portfolio.
How Estate Scope Works
Section titled “How Estate Scope Works”When you grant someone Estate Editor access:
- They can create and edit assets at any site within that estate
- They cannot change settings or invite other users (Admin-only)
- Their access automatically extends to all current and future sites in the estate
Example: Sarah is an Estate Editor at your Main Portfolio estate. When you add a new site next month, Sarah can automatically work with assets at that new site.
Estate Access is the Gateway
Section titled “Estate Access is the Gateway”Important: Every user must have at least Viewer access to the estate before they can access individual sites.
Estate Roles and Their Scope
Section titled “Estate Roles and Their Scope”| Role | Can Do | Typical Scope |
|---|---|---|
| Owner | Everything including delete the entire estate | Single person per estate |
| Admin | Manage users, settings, all sites | Operations leadership, facility managers |
| Editor | Create/edit assets at any site | Engineers, technicians, planners |
| Viewer | View all estates, sites, and assets | Stakeholders, consultants, auditors |
Site Scope
Section titled “Site Scope”Site permissions let you vary access across different locations. A user can have different roles at different sites.
How Site Scope Works
Section titled “How Site Scope Works”Site permissions only work after someone has estate access. They let you customize their role at specific sites:
Example Workflow:
1. Grant Maya "Estate Viewer" access → She can see all sites and read their data
2. Then grant Maya "Site Editor" at Building A only → At Building A: she can edit assets → At Building B: she can only view (limited by Estate Viewer) → At Building C: she can only view (no special site access)Estate Role Limits Site Role
Section titled “Estate Role Limits Site Role”A user’s estate role acts as a ceiling for what they can do at any site:
| Estate Role | Site Role | What They Actually Can Do |
|---|---|---|
| Viewer | Editor | View only (estate role limits) |
| Editor | Viewer | View at this site, but edit elsewhere |
| Editor | Editor | Edit at this site |
| Admin | Editor | Edit at this site, admin elsewhere |
Site Roles and Their Scope
Section titled “Site Roles and Their Scope”| Role | Can Do | Best For |
|---|---|---|
| Admin | Manage site users, settings, all content | Site supervisors, site managers |
| Editor | Create/modify assets and floor plans | Team members working at this site |
| Viewer | View-only access to site data | Contractors, inspectors, occasional visitors |
Layer Scope (Advanced)
Section titled “Layer Scope (Advanced)”Layers are floor plans or map views within a site. You can control access to specific layers for fine-grained security.
When to Use Layer Permissions
Section titled “When to Use Layer Permissions”Layer permissions are useful when:
- Different teams manage different systems - HVAC team sees only HVAC layer, Electrical team sees only Electrical layer
- Sensitive information needs protection - Hide utility or security system layers from contractors
- Regulatory compliance - Restrict access to protected areas or confidential systems
How Layer Scope Works
Section titled “How Layer Scope Works”Layer permissions are an additional filter on top of site permissions:
User has "Site Editor" access to Building A ├── Can edit all layers (if no layer permissions set) └── Or, if layer permissions are set: ├── Has "Layer Admin" on Electrical layer → can edit electrical ├── Has "Layer Viewer" on HVAC layer → can only view HVAC └── Has no access to Security Cameras layer → can't see itLayer Roles
Section titled “Layer Roles”| Role | Can Do |
|---|---|
| Admin | Full control - view, edit, manage access |
| Editor | Create and modify content on layer |
| Viewer | View-only access |
| None | Explicitly denied (user can’t see this layer) |
Practical Scenarios
Section titled “Practical Scenarios”Scenario 1: Contractor Access (Limited to One Site)
Section titled “Scenario 1: Contractor Access (Limited to One Site)”Goal: A contractor should work on Building A’s HVAC system but not see other buildings or other systems.
How to set it up:
-
Grant contractor Estate Viewer access
- They can see the portfolio overview
- They cannot modify anything at estate level
-
Grant contractor Site Editor at Building A only
- Now they can edit assets at Building A
- This overrides the estate limit (Site Editor > Estate Viewer for that site)
-
(Optional) Grant Layer Admin on HVAC layer
- If you want them focused only on HVAC and hiding other systems
Result: Contractor sees Building A’s HVAC data and can make changes. They cannot see Building B at all, and cannot edit electrical or other non-HVAC systems.
Scenario 2: Team Lead (Multiple Sites, Full Control)
Section titled “Scenario 2: Team Lead (Multiple Sites, Full Control)”Goal: Sarah manages three buildings and needs to manage their teams and settings.
How to set it up:
-
Grant Sarah Estate Admin access
- This is the broadest scope: she can manage all sites
- She can invite/remove users across all buildings
- She can change estate-level settings
-
You can also grant specific Site Admin roles for clarity
- Redundant with Estate Admin, but helpful for audits
Result: Sarah sees all three buildings, can edit assets everywhere, can manage users at each site, and can change settings.
Scenario 3: Auditor (Read-Only Across Multiple Estates)
Section titled “Scenario 3: Auditor (Read-Only Across Multiple Estates)”Goal: An external auditor needs to view data across three estate portfolios but cannot modify anything.
How to set it up:
-
Grant auditor Viewer access to each estate
- No site-specific roles needed
- They inherit view access to all sites automatically
-
Leave all other permissions as “None”
- This prevents accidental modifications
Result: Auditor can navigate and view all estates, sites, layers, and assets. They cannot create, edit, or delete anything. Perfect for read-only reviews and reporting.
Scenario 4: Engineering Team with Restricted Layers
Section titled “Scenario 4: Engineering Team with Restricted Layers”Goal: Your electrical team should work on electrical systems at Building A, but facility staff should see their work without editing it.
How to set it up:
For electrical engineers:
- Grant Estate Editor access
- Grant Site Editor at Building A
- Result: Can edit everything at Building A (no layer restrictions)
For facility staff:
- Grant Estate Viewer access
- Grant Site Viewer at Building A
- Grant Layer Viewer on Electrical layer only
- Grant Layer None on Security layer
- Result: They see electrical work but not security systems; they can’t edit anything
Common Questions
Section titled “Common Questions””Can I give someone access to two different sites?”
Section titled “”Can I give someone access to two different sites?””Yes. Grant them Estate Viewer, then add Site Editor to each site they work on.
”I granted Site Editor but they can only view. Why?”
Section titled “”I granted Site Editor but they can only view. Why?””Their estate role is probably limiting them. If they’re Estate Viewer, they can only view everywhere, even with Site Editor. Upgrade to Estate Editor.
”Do new sites automatically include people with estate access?”
Section titled “”Do new sites automatically include people with estate access?””Yes. If Sam is Estate Editor, when you create a new site, Sam can work there immediately.
”What if I want someone to edit at Site A but only view at Site B?”
Section titled “”What if I want someone to edit at Site A but only view at Site B?””Grant Estate Editor (so they can edit somewhere), then set Site roles:
- Site Editor at Site A → they can edit there
- Site Viewer at Site B → they can view there
Scope Summary
Section titled “Scope Summary”Use this decision tree to choose the right scope:
1. What should they do everywhere in the estate?
- View only? → Grant Estate Viewer
- Create/edit? → Grant Estate Editor
- Manage users? → Grant Estate Admin
2. Do they need site-specific customization?
- Less access at some sites? → Add Site Viewer to those sites
- Different access at different sites? → Add Site Editor or Site Admin as needed
3. Are there specific systems or layers they shouldn’t see?
- Hide a layer? → Grant Layer None (explicitly deny)
- Allow viewing only? → Grant Layer Viewer
- Let them edit? → Grant Layer Editor or Layer Admin
Related
Section titled “Related”- Understanding Roles - What each role can do
- Granting Access - How to assign permissions to users