Skip to main content

Permissions and scoping

This page is the look-up reference for Erde authorization: the global-role-by-action matrix, the rules for Project-scoped versus Site-scoped data, and how locking an aggregate affects writes. For the model behind these tables, see Users, roles, and permissions.

Authorization combines two independent layers. A global role on the user account gates whole API endpoints; a per-Site or per-Project membership role gates reads and writes on individual records. Both must pass.

Global roles

Every account holds exactly one global role, required at creation. The wire and storage value is the code; the interface shows the label.

Role codeLabel
AdminAdministrator
DataManagerData Manager
ManagerManager
StaffStaff

All four roles are internal users — they belong to the RequireInternalUser policy set.

Administrator and Data Manager carry a global-admin bypass: they can view, add, edit, and manage every Site and Project without a membership row. Deleting a Site or Project aggregate is reserved for Administrator alone.

Endpoint policies

Whole API endpoints are gated by one of four named policies, each mapped to a fixed set of global roles.

PolicyRoles allowedGates
RequireAdminAdministratorSystem settings, client configuration, admin dashboard, system audit log, demo-data seeding
CanManageUsersAdministratorCreating accounts, assigning global roles, locking, deleting, resetting passwords
RequireDataStewardAdministrator, Data ManagerReference data, Data Management Plans (DMPs)
RequireInternalUserAdministrator, Data Manager, Manager, StaffReading business and vendor data (laboratories, organizations)

CanManageUsers resolves to the same role set as RequireAdmin today, but stays a distinct policy because it expresses a different concern — user administration — and may diverge later.

Write access to system catalog entities (Equipment, Contact, Organization, Laboratory) is not one of the four named policies. It is granted to Administrator, Data Manager, and Manager through a server-side guard, which is what backs the Manager column on the "Write system catalog entities" row of the permissions matrix.

Permissions matrix

Actions are rows; global roles are columns. Yes means the global role grants the action on its own. Scoped means the action additionally requires the matching per-Site or per-Project membership role (see Scope rules). means not granted.

ActionAdminData ManagerManagerStaff
System settings, admin dashboard, audit log, demo seedYes
Create accounts, assign roles, reset passwordsYes
Manage reference data, screening programs, DMPsYesYes
Read business and vendor data (labs, organizations)YesYesYesYes
Write system catalog entities (Equipment, Contact, Organization, Laboratory)YesYesYes
Create a Site or Project aggregateYesYes
Delete a Site or Project aggregateYes
Toggle a Site or Project lockYesYes
Manage Project–Site links and ProgramsYesYes
Validate project dataYesYes
View site infrastructure dataYesYesScopedScoped
Add site infrastructure dataYesYesScopedScoped
Edit site infrastructure dataYesYesScopedScoped
Manage a site's membershipYesYesScopedScoped
View project dataYesYesScopedScoped
Add project dataYesYesScopedScoped
Edit project dataYesYesScopedScoped
Manage a project's membershipYesYesScopedScoped

Validating project data requires both data-steward access — the RequireDataSteward role set (Administrator or Data Manager) — and Editor-or-higher membership on the project; a global-admin bypass (held by both Administrator and Data Manager) covers the membership half. Manager and Staff have no global-admin bypass — every scoped action they take comes entirely from a membership row.

Scope rules

Domain records belong to a Site or a Project. Membership grants a tiered role on that scope; each tier includes everything the lower tiers can do.

ScopeCoversViewAddEditManage membership
SiteSite infrastructure: Locations, Wells, Boreholes, Test Pits, Sediment Cores, plus field-monitoring data: Water Levels, Well Purges, Field Parameters, logger streamsViewerContributorEditorSite Manager
ProjectProject data: Samples, Lab Analyses, Lab ReportsViewerContributorEditorProject Manager

The two scopes are intentionally asymmetric, because field data must reference the Site it was collected at:

Holding this roleGrants on its own scopeGrants on the other scope
A Site roleView and modify Site infrastructureNo access to project data at the Site
A Project roleView and modify project dataView-only on infrastructure of any linked Site
A Project Contributor or higherView and modify project dataView and add infrastructure at any linked Site

A Project Contributor can therefore add a needed Location at a linked Site without holding a separate Site Editor role; Viewer project roles do not gain this. Access reached through a Project never works in reverse — a Site role does not grant access to any Project.

Locking effects

Every Site and Project aggregate carries an IsLocked flag (default off). Locking freezes all writes to that aggregate and every record scoped to it; reads are unaffected. Locked records still appear and export normally.

AspectBehavior when locked
ReadsUnaffected — records remain visible and exportable
Create, edit, or delete scoped recordsBlocked; the API returns 409 Conflict
Who may toggle the lockAdministrator or Data Manager only
How the flag is setOnly through dedicated Lock and Unlock actions, never a normal save

The enforcement runs at the database boundary, so any write that touches a record under a locked Site or Project is rejected before it reaches the database — regardless of which screen or import path attempted it. The IsLocked flag is deliberately absent from the Save forms; it changes only through the Lock and Unlock actions. Lock state is independent of permission: a user who may otherwise edit a record still cannot write to it while its Site or Project is locked.

warning

Locking a Site or Project blocks all edits, additions, and deletions to its data until an Administrator or Data Manager unlocks it. Manager-tier roles can edit data but cannot freeze it.