search

Access Control

Guide to managing team permissions and roles.

hashtag
Overview

Access Control defines who can access your company and what permissions they have. Managed through the AccessControl entity and company sharing settings.

hashtag
User Roles

hashtag
Owner

  • Who: Creator of the company

  • Permissions: Full access to all features

    • Manage sharing (invite/remove participants)

    • Delete company

    • Configure all settings

    • Access all data

  • Identification: isOwner = true in AccessControl

hashtag
Participant

  • Who: Team members invited via sharing

  • Permissions: Based on share settings and AccessControl

    • Read/write company data (default)

    • Cannot manage sharing

    • Cannot delete company

  • Identification: isOwner = false in AccessControl

hashtag
Adding Team Members

See Sharing Company for invitation process.

Summary:

  1. Owner shares company via Settings → Sharing

  2. Participant accepts share invitation

  3. AccessControl record auto-created for participant

  4. Participant can now access company data

hashtag
Viewing Team Members

Settings → Sharing → Participants:

  • List of all team members

  • Shows display name, email

  • Owner badge for company owner

  • Last active timestamp (future)

hashtag
Removing Team Members

Owner Only:

  1. Settings → Sharing

  2. Tap participant

  3. Tap Remove

  4. Confirm

Effect: Participant loses access immediately, company removed from their device

hashtag
Permission Levels (Current)

Binary Permissions:

  • Can Edit: Full read/write to company data (default for all participants)

  • View Only: Read-only access (future enhancement)

Set via UICloudSharingController when adding participant

hashtag
Advanced Permissions (Future)

hashtag
Department-Based Access

Planned: Use deptMask field (bitmask) for department-level permissions

Example:

  • Sales Department: Can access Orders, Contacts (not Warehouse)

  • Warehouse: Can access Inventory, Dispatch (not Orders)

  • Management: All access

hashtag
Manager Permissions

Planned: Use managerMask field for elevated permissions within departments

Example:

  • Regular Staff: Can view, edit assigned tasks

  • Manager: Can view all tasks, create tasks, assign tasks

  • Admin: Full CRUD on all entities

hashtag
Security Best Practices

  • Least Privilege: Grant minimum permissions needed

  • Regular Audits: Review participants list periodically

  • Immediate Revocation: Remove access for departed team members immediately

  • UserPass Privacy: Remember each user has own credentials (never shared)

hashtag
Technical Details

Entity: AccessControl (see Core Data Modelarrow-up-right)

Key Fields:

  • userID: UUID identifying the user

  • companyID: Which company this access applies to

  • isOwner: Boolean distinguishing owner from participants

  • displayName: User's name for display in UI

  • deptMask: Bitmask for department permissions (future use)

  • managerMask: Bitmask for manager permissions (future use)

  • createdAt: When access was granted

Related: Sharing Company, Security Model, Permissions and Roles

PreviousContactsNextNotifications

Last updated