Roles and Permissions

Owned by Dave Ryan
Last updated: Sept 21, 2017
3 min read

Canopy uses a Role-Based Access Control system, and also sets a number of predefined global roles.

Global Roles

Canopy defines a number of global roles to make permission management easier with the system. The system defined roles are as follows:


Role nameDefault PermissionsDescription
Administrators
  • ALL
This is the global administrator. This user can perform any action on the system and access any object - i.e. no restrictions. However, the admins activities are logged.
Technical Managers
  • project-view
  • project-edit
  • project-content-edit
  • project-create
  • phase-view
  • phase-edit
  • phase-content-edit
  • finding-comment
  • report-comment
  • reporttemplate-view
  • reporttemplate-edit
  • opportunity-view
  • opportunity-edit
  • opportunity-content-edit
  • opportunity-create
  • scope-view
  • scope-edit
  • scope-content-edit
  • sow-comment
  • sowtemplate-view
  • sowtemplate-edit
  • questionnaire-view
  • questionnaire-edit
  • methodologytemplate-view
  • methodologytemplate-edit
  • methodologytemplate-comment
  • tariff-view
  • tariff-edit
  • taxonomytemplate-view
  • taxonomytemplate-edit
  • kb-view
  • kb-edit
  • kb-approve
  • kb-add
  • kb-comment
  • company-view
  • company-edit
  • company-create
A Technical Manager is a user role that is one step down from an administrator. They are able to perform practically all operations on the system, with the exception of administration level actions (e.g. user management).
Senior Analysts
  • project-create
  • reporttemplate-view
  • methodologytemplate-view
  • methodologytemplate-comment
  • opportunity-create
  • kb-view
  • kb-edit'
  • kb-approve
  • kb-add'
  • kb-comment
  • company-view
A Senior Analyst is a trusted user within the system who can perform key operations, including KB management and project creation. By default, these users can also view (readonly) companies and methodologies.
Analysts
  • kb-view
  • kb-add
  • kb-comment
  • methodologytemplate-view
  • methodologytemplate-comment
An Analyst has a reduced set of permissions and must be explicitly granted access to a company, opportunity or project before they can work on anything. They are able to perform some operations, such as
Sales Managers
  • company-view
  • company-edit
  • company-create
  • opportunity-create
  • opportunity-view
  • opportunity-edit
  • opportunity-content-edit
  • sowtemplate-view
  • sowtemplate-edit
  • questionnaire-view
  • questionnaire-edit
  • tariff-view
  • tariff-edit
A special admin-like user for managing companies, and opportunities and their related templates. However, this user has limited access to projects and other technical content.
Account Managers
  • company-create
  • opportunity-create
A user for managing companies and opportunities. No default access to projects is assigned.
Peer Reviewer

Special permissions assigned on a short life time (as needed) for modifying a specific report and commenting on it.

These permissions are assigned based on the workflow engine.
Quality AssurerSpecial permissions assigned on a short life time (as needed) for modifying a specific report and commenting on it.These permissions are assigned based on the workflow engine.

A number of additional roles will be included in the next iteration of Canopy, including: low privilege user role and the KB admin role.


Object Roles

There are currently three main objects for assigning user access, outside of the global roles. These are:

  • Companies/Clients
  • Opportunities
  • Projects

The following screenshot shows an example of the User Access management interface that is part of the Edit Company dialogue. The default permissions for all company objects are listed in italic.


It is possible to add users with additional access. Groups can not be added at the moment.

Permissions are grouped into a simple set of roles on each object, which are typically:

  • readonly: a read-only role
  • write: if available, this allows for the content of the object to be managed, but does not allow control over assigning access or deleting
  • admin: perform any operation

The specific instances of these roles on their corresponding objects are explained next.

Company

RolePermissionsDescription
readonly
  • company-view
View only access to a company.
admin
  • company-edit
  • company-view
Manage the content and access control of an opportunity.

Opportunity

RolePermissionsDescription
readonly
  • opportunity-view
View only access to an opportunity.
write
  • opportunity-content-edit
  • opportunity-view
Manage content associated with an opportunity. However, the structure of the opportunity cannot be changed (e.g. add more phases).
admin
  • opportunity-edit
  • opportunity-content-edit
  • opportunity-view
Manage the structure, content and access control of an opportunity.

Project

RolePermissionsDescription
readonly
  • project-view
This is a readonly role. No content editing can be performed by a user with this role.
write
  • project-content-edit
  • project-view
Manage content associated with an opportunity. However, the structure of the opportunity cannot be changed (e.g. add more phases).
admin
  • project-edit
  • project-content-edit
  • project-view
Manage the structure, content and access control of an opportunity.