Setting Permissions
AI-Corporate security works based on roles with permissions.
Accounts and Roles
Accounts are automatically created after a successful first login attempt. During account creation, tokens are added to the server that determine the basic role. These roles can be adjusted later by authorized administrators. The initial tokens are usually:
- Employee (yes/no): set to "yes" if the email address matches an email address on the list of employees.
- Location Admin (yes/no): initially usually set to "no" and assigned later.
- Environment Admin (yes/no): initially usually set to "no" and assigned later.
- Super Admin (yes/no): initially usually set to "no" (except for the first Super Admin) and assigned later.
Changing Roles
A Super Admin, Environment Admin, or Location Admin can assign roles, depending on their own role and the assigned permissions to manage roles. The hierarchy is typically:
- A Super Admin can assign all other roles (Environment Admin, Location Admin, Employee).
- An Environment Admin can assign roles such as Location Admin and Employee within their own environment.
- A Location Admin can assign the Employee role within their own location/scope.
- An Employee cannot assign roles.
A role change is accompanied by adjusting the relevant tokens on the server.
Permission Roles
In the admin section, a Super Admin or Environment Admin can adjust permissions per role. The available roles for which permissions can be set are: Super Admin, Environment Admin, Location Admin, Employee, and Guest.
The Guest role concerns permissions assigned to non-logged-in users. Non-logged-in users must at least be able to read the basic information of environments, otherwise no choice can be made on the login screen. Be very cautious about granting additional permissions to the Guest role!
Collections
Permissions are given per collection. A collection is a set of similar data. For example, there is a "Organizations" collection and a "Chats" collection.
Setting Permissions on the Default Database
Only Super Admins can set permissions on the default database.
Setting Permissions on the Tenant Database
After selecting a role (Super Admin, Environment Admin, Location Admin, Employee, Guest), the administrator can adjust permissions per collection on the tenant database.
Read Permissions
Read permissions concern the ability to read data from the database.
The rights can be set incrementally:
-
Single record: the user must know the unique UUID of the record
-
Own records: only records created by the user themselves
-
Shared records: records shared with the user
-
Controlled records: records under the control of a manager or administrator (e.g., Location Admin or Environment Admin), such as chats related to a specific department or project
-
Tenant records: all records of a tenant on AI-Corporate
-
All records: all records of AI-Corporate
Since the database structure is set up so that each tenant (customer) of AI-Corporate has their own database, the "Tenant records" setting is disabled when setting permissions on tenant databases.
View Permissions
Here the administrator can set whether the relevant role (Super Admin, Environment Admin, Location Admin, Employee) gets to see the tile in the admin section.
Create, Update, Delete Permissions
These permissions are for creating, updating, or deleting records and are configurable per collection. The rights can be set incrementally:
-
Own records: only records the user creates or has created
-
Tenant records: all records of a tenant on AI-Corporate
-
All records: all records of AI-Corporate
Since the database structure is set up so that each tenant (customer) of AI-Corporate has their own database, the "Tenant records" setting is disabled when setting permissions on tenant databases.