Permissions
DbFace permissions are built around three layers: organization isolation, role control, and report-level authorization. Together they support multi-tenant isolation and ensure viewer users only access approved content.
Organization isolation
Core entities such as users, reports, datasources, categories, and Cloud Code all carry organization_id.
Server-side queries filter by organization to ensure data does not leak across tenants.
Role model
| Role | Capabilities | Typical users |
|---|---|---|
| admin | Manage users, datasources, system settings, and authorization | Platform administrators |
| editor | Create, edit, publish reports and Cloud Code | Analysts and report maintainers |
| viewer | View only authorized and published reports | Business users and consumers |
Report-level authorization
Viewer users cannot automatically access every report in the organization. DbFace records per-user authorization in
the permissions table.
- Admins can assign which published reports a viewer may access.
- Only published reports are meaningful for viewer authorization.
- View, execute, and export paths all check viewer authorization.
Publish state
Reports also carry a draft or published status. Even with authorization, viewer users can only
access reports that are already published.
Admin-only capabilities
- Create, edit, and delete datasources.
- Create users, change roles, reset passwords, and activate or deactivate accounts.
- Configure viewer report authorization.
- Access organization-level settings and system configuration.
Editor capabilities
- Create, update, duplicate, publish, and unpublish reports.
- Update embed settings and generate embed tokens.
- Create and maintain Cloud Code components.
Design notes
- Organization isolation protects against cross-tenant access.
- Role control decides whether the user may enter management actions.
- Viewer authorization decides whether a specific report is consumable.