Roles & Permissions
Managed via: the user edit page (backoffice/users/{id}/edit)
Available to roles: System Administrator
Overview
Airspace uses Bouncer for role-based access control (RBAC). Every backoffice action is gated behind abilities, and abilities are granted through roles or assigned directly to individual users. This system ensures that staff members only have access to the features they need.
Access Control Architecture
The permission system is structured in three layers:
- Gate:
see-admin-panel-- Controls access to the entire backoffice. If a user does not pass this gate, they cannot reach any admin page regardless of their roles or abilities. - Ability:
see-admin-options-- Controls sidebar navigation visibility. Users with this ability see the backoffice menu items. Both the Administrator and Operations Staff roles include this ability. - Model-level abilities -- Fine-grained permissions (view, create, update, delete, etc.) scoped to specific models and resources.
Built-in Roles
Airspace ships with three built-in roles. Each role is designed for a specific level of administrative responsibility.
System Administrator
The System Administrator role carries the everything ability, which grants unrestricted access to every feature, page, and action in the platform. There are no permission checks that can block a System Administrator.
| Property | Value |
|---|---|
| Role key | sysadmin |
| Core ability | everything |
| Access level | Unrestricted |
Assign the System Administrator role sparingly. It bypasses all permission checks entirely.
Administrator
The Administrator role provides broad management capabilities across most platform features. It includes the see-admin-options ability plus full management permissions on a wide range of models.
| Property | Value |
|---|---|
| Role key | administrator |
| Core ability | see-admin-options |
| Access level | Most management features |
Administrators can manage the following resources:
| Category | Models |
|---|---|
| Infrastructure | Airport, Airline |
| Scheduling | Schedule |
| Fleet | AircraftFleet, AircraftSubFleet, Aircraft |
| Operations | Booking, Flight, FerryFlight |
| Users & Points | User, Point |
| Simulation Profiles | LoadProfile, PayloadProfile, FdmProfile, VoiceProfile |
| Passenger Data | PassengerName |
| Compliance | Document, License, Restriction |
| Content | SpotterPhoto, CompanyNotam |
| Maintenance | MaintenanceCheckDefinition, MelDefinition |
| Speech | SpeechPack, SpeechLanguage |
| Configuration | SystemSetting |
Operations Staff
The Operations Staff role is designed for team members who assist with day-to-day operational tasks but should not have access to system configuration or broad management features.
| Property | Value |
|---|---|
| Role key | operations-staff |
| Core ability | see-admin-options |
| Access level | Limited operational features |
Operations Staff have access to the following capabilities:
| Resource | Allowed Actions |
|---|---|
| Aircraft | Move (reassign to different airports) |
| Users | Move (reassign home airport) |
| Documents | View, create, edit |
| Licenses | View, assign to users |
| Restrictions | View only |
| Spotter Photos | View, edit, delete |
| Ferry Flights | Full management (view, create, edit, delete) |
Direct Abilities (Per-User)
In addition to roles, abilities can be granted directly to individual users. This is useful when a specific user needs access to a feature that their assigned role does not cover, without granting them an entirely new role.
Direct abilities are managed from the user edit page. They work alongside role-based abilities -- a user's effective permissions are the union of all abilities from their roles plus any directly assigned abilities.
Direct abilities take precedence in the sense that they are additive. However, they cannot override restrictions imposed by the see-admin-panel gate. A user must still pass the gate to access the backoffice.
How Permission Checks Work
When a user attempts to perform an action in the backoffice, the system evaluates permissions in the following order:
- Gate check -- Does the user pass the
see-admin-panelgate? If not, access is denied entirely. everythingability -- Does the user have theeverythingability (System Administrator)? If so, the action is allowed without further checks.- Role abilities -- Does any of the user's assigned roles grant the required ability for this action and model?
- Direct abilities -- Has the required ability been granted directly to this user?
If none of these checks pass, the action is denied.
Summary Table
| Role | everything | see-admin-options | Management Scope |
|---|---|---|---|
| System Administrator | Yes | Yes (implicit) | All features, no restrictions |
| Administrator | No | Yes | Broad model management (see list above) |
| Operations Staff | No | Yes | Documents, licenses, restrictions (view), spotter photos, ferry flights, aircraft/user moves |
| Regular User (Pilot) | No | No | No backoffice access |