Roles & Permissions Matrix
1. What is this? (Overview)
Section titled “1. What is this? (Overview)”This document is a consolidated reference of all roles and their associated permissions in the system. It covers both global roles (system-wide) and the default location-scoped roles, and is intended to help stakeholders quickly understand what each role can and cannot do. All roles and permissions described here are currently active in production.
2. Who does this apply to? (Scope & Audience)
Section titled “2. Who does this apply to? (Scope & Audience)”This reference applies to all staff users of the system. It covers two distinct scopes:
- Global roles — Apply across all locations. Users with a global role access the system through the Admin View.
- Location roles — Apply only within the specific location where they are assigned. A user may hold a different role at each location they belong to.
The Parent role is excluded from this reference, as it belongs to the parent portal and operates under a separate authentication guard.
3. Rules & Constraints
Section titled “3. Rules & Constraints”- Superadmin bypasses all permission checks. Any permission gate in the system is automatically satisfied for a Superadmin user. This role is the only immutable system role.
- Admin holds all permissions except
manage_roles. This prevents Admins from modifying role structures or escalating permissions. - Role assignment is hierarchical. A user can only assign roles that carry fewer permissions than their own. Superadmins are exempt.
- A role cannot be deleted while assigned to any employee, including inactive ones.
- Location roles only expose location-scoped permissions. System-wide permissions cannot be added to a location role.
- All roles, except Superadmin, can be edited or deleted when unassigned.
4. Reference Table
Section titled “4. Reference Table”Global Roles
Section titled “Global Roles”| Permission | Superadmin | Admin |
|---|---|---|
| Role & User Management | ||
manage_roles — Create, edit, delete roles | ✅ | ❌ |
assign_roles — Assign roles to users | ✅ | ✅ |
view_employees — View employee list | ✅ | ✅ |
manage_employees — Manage employee records | ✅ | ✅ |
create_employees — Add new employees | ✅ | ✅ |
update_employees — Edit employee details | ✅ | ✅ |
delete_employees — Remove employees | ✅ | ✅ |
impersonate_users — Impersonate any user | ✅ | ❌ |
| Location Management | ||
manage_locations — Manage all locations | ✅ | ✅ |
create_locations — Add new locations | ✅ | ✅ |
update_locations — Edit location details | ✅ | ✅ |
delete_locations — Remove locations | ✅ | ✅ |
access_all_locations — Access any location | ✅ | ✅ |
manage_locations_access — Manage location membership | ✅ | ✅ |
| Insurance & Billing | ||
manage_insurances — Manage insurance companies | ✅ | ✅ |
create_insurances — Add insurance records | ✅ | ✅ |
update_insurances — Edit insurance records | ✅ | ✅ |
manage_claims — Manage insurance claims | ✅ | ✅ |
view_invoices — View invoices | ✅ | ✅ |
update_invoices — Edit invoices | ✅ | ✅ |
delete_invoices — Delete invoices | ✅ | ✅ |
| Workspaces | ||
view_workspaces — View workspace list | ✅ | ✅ |
show_workspace — View workspace details | ✅ | ✅ |
delete_workspaces — Delete workspaces | ✅ | ✅ |
export_workspaces — Export workspaces to PDF | ✅ | ✅ |
| Tickets | ||
manage_tickets — Manage all tickets | ✅ | ✅ |
create_tickets — Submit tickets | ✅ | ✅ |
| Administration | ||
use_admin_tools — Access Administration section | ✅ | ✅ |
audit_system — View system logs & login sessions | ✅ | ✅ |
access_admin_view — Access Admin View | ✅ | ✅ |
Default Location Roles
Section titled “Default Location Roles”The table below reflects the default permission set for each location role. Since all location roles can be customized per location, actual permissions may vary.
| Permission | Owner | Manager | BCBA | RBT |
|---|---|---|---|---|
| Role & User Management | ||||
manage_roles | ✅ | ❌ | ❌ | ❌ |
assign_roles | ✅ | ❌ | ❌ | ❌ |
view_employees | ✅ | ✅ | ❌ | ❌ |
manage_employees | ✅ | ✅ | ❌ | ❌ |
create_employees | ✅ | ✅ | ❌ | ❌ |
update_employees | ✅ | ✅ | ❌ | ❌ |
delete_employees | ✅ | ✅ | ❌ | ❌ |
manage_locations_access | ✅ | ✅ | ❌ | ❌ |
| Client Management | ||||
view_all_clients | ✅ | ✅ | ❌ | ❌ |
create_clients | ✅ | ✅ | ❌ | ❌ |
update_clients | ✅ | ✅ | ❌ | ❌ |
| BIP | ||||
view_bips | ✅ | ✅ | ✅ | ✅ |
manage_bips | ✅ | ✅ | ✅ | ❌ |
export_bip | ✅ | ✅ | ❌ | ❌ |
| Notes | ||||
view_notes | ✅ | ✅ | ✅ | ✅ |
view_all_notes | ✅ | ✅ | ❌ | ❌ |
create_note_bcba | ✅ | ✅ | ✅ | ❌ |
create_notes_rbt | ✅ | ✅ | ✅ | ✅ |
manage_notes | ✅ | ✅ | ❌ | ❌ |
export_notes | ✅ | ✅ | ❌ | ❌ |
| Reports | ||||
view_projection_report | ❌ | ✅ | ✅ | ❌ |
| Billing | ||||
manage_claims | ✅ | ❌ | ❌ | ❌ |
view_invoices | ✅ | ✅ | ❌ | ❌ |
update_invoices | ✅ | ✅ | ❌ | ❌ |
delete_invoices | ✅ | ✅ | ❌ | ❌ |
| Parents | ||||
view_parents | ✅ | ✅ | ❌ | ❌ |
create_parents | ✅ | ✅ | ❌ | ❌ |
update_parents | ✅ | ✅ | ❌ | ❌ |
| Tickets | ||||
manage_tickets | ✅ | ✅ | ❌ | ❌ |
create_tickets | ✅ | ✅ | ✅ | ✅ |
5. Common Scenarios
Section titled “5. Common Scenarios”Scenario 1 — A BCBA who needs to review session notes from other providers.
By default, a BCBA can only view notes (view_notes) but not see notes across all employees (view_all_notes). If this is required, the Owner or Manager can edit the BCBA role at their location to add view_all_notes, or create a dedicated role (e.g., Senior BCBA) with that permission.
Scenario 2 — A clinic that needs a billing-only staff member.
Since no default role is limited strictly to billing, an Owner can create a custom location role (e.g., Billing Coordinator) with only manage_claims, view_invoices, update_invoices, and delete_invoices. This role would have no clinical permissions, keeping access tightly scoped.
Scenario 3 — A Superadmin entering a specific location. When a Superadmin selects a specific location from the location selection screen, they operate with the role assigned to them at that location — not as Superadmin. Their system-wide privileges are only active in Admin View. If they have not been assigned a role at a particular location, they will not have location-level access there.
6. Frequently Asked Questions
Section titled “6. Frequently Asked Questions”-
Q: Can a location role ever include global permissions like
manage_locations?- A: No. The system restricts location roles to location-scoped permissions only. Global permissions are exclusively available to global roles (Superadmin and Admin).
-
Q: If the Owner role at a location is edited to remove
manage_roles, can that Owner still manage roles?- A: No. Permission checks are always evaluated against the current role definition. Removing
manage_rolesfrom the Owner role at a location immediately revokes that capability for all users holding that role there.
- A: No. Permission checks are always evaluated against the current role definition. Removing
-
Q: Who can see the full permissions of a role?
- A: Any user with
manage_rolescan open a role in the Roles list and see its full permission set. Hovering over a permission in the list also shows a description tooltip for context.
- A: Any user with