Main Concepts
inTandem access control main concepts
Permissions
A Permission is an entity that represents access to a capability/feature that can be granted to a staff member.
Permission naming convention
Feature Permissions
Permissions have naming conventions that help understand their purpose and hierarchy. They follow the following pattern:
domain.feature.action
Domain: The model or general business domain in the inTandem platform. For example, clients, documents, and business management.
Feature: A specific feature within the domain to which the permission is related. For example, client_list, invoices, estimates
Action: The action that can be denied/allowed concerning the feature. For Example, export, manage, view, delete
Category permissions
Some permissions will have only a domain and an action. The action will always be "manage". These are category permissions that address the availability of a complete module. For example clients.manage, documents.manage, payments.manage
When denying a category permission, all feature permissions are automatically denied to avoid conflicts
Permission Hierarchy
As mentioned, category permissions ha only a domain and action, and regular permission will have a domain+feature+action. Always separated with a period (".).
So if you want to represent the hierarchy of permission in your UI, you will need to parse the list of permissions returned from the Permissions endpoint
const permissionsData = {
permissions: [
{ unique_code: "payments.manage", name: "Manage Payments" },
{ unique_code: "clients.collaborated_activities.manage", name: "Manage Collaborated Activities" },
{ unique_code: "clients.client_email.manage", name: "Manage Client Email" },
{ unique_code: "clients.client_lastname.manage", name: "Manage Client Last Name" },
{ unique_code: "clients.client_phone.manage", name: "Manage Client Phone" },
{ unique_code: "payments.invoices.export", name: "Export Invoices" },
{ unique_code: "payments.estimates.export", name: "Export Estimates" },
{ unique_code: "clients.manage", name: "Manage Clients" }
]
};
// Initialize objects to hold the categorized permissions
const categoryPermissions = {};
const regularPermissions = {};
// Parse and categorize permissions
permissionsData.permissions.forEach(perm => {
const codeParts = perm.unique_code.split('.');
if (codeParts.length === 2 && codeParts[1] === "manage") {
// Category permission (e.g., clients.manage)
const domain = codeParts[0];
if (!categoryPermissions[domain]) {
categoryPermissions[domain] = [];
}
categoryPermissions[domain].push(perm);
} else if (codeParts.length === 3) {
// Regular permission (e.g., payments.invoices.export)
const [domain, feature] = codeParts;
if (!regularPermissions[domain]) {
regularPermissions[domain] = {};
}
if (!regularPermissions[domain][feature]) {
regularPermissions[domain][feature] = [];
}
regularPermissions[domain][feature].push(perm);
}
});
// Display the categorized permissions
console.log("Category Permissions:");
Object.keys(categoryPermissions).forEach(domain => {
console.log(` ${domain}:`);
categoryPermissions[domain].forEach(perm => {
console.log(` - ${perm.name} (${perm.unique_code})`);
});
});
console.log("\nRegular Permissions:");
Object.keys(regularPermissions).forEach(domain => {
console.log(` ${domain}:`);
Object.keys(regularPermissions[domain]).forEach(feature => {
console.log(` ${feature}:`);
regularPermissions[domain][feature].forEach(perm => {
console.log(` - ${perm.name} (${perm.unique_code})`);
});
});
});
API Endpoints
The Permission entity exposes list and single entity retrieval.
In addition, you can check the StaffPermission endpoint to verify whether a specific staff member has access to a specific permission.
Business Roles
A business role is a named set of default permissions for a business account. For example, admin, manager, etc. Each business account has its own roles. A set of basic roles are created for the account as part of its creation. After its creation, users with permission to create roles can update and create new custom roles.
Once created, business roles can be assigned to staff members (using the StaffBusinessRole endpoint, enabling efficient control over the permission of a staff member with the same role.
Basic Roles
inTandem comes with five out-of-box roles:
- Admin: Full access to the account. If an owner, the user can access additional settings that are unavailable to regular admins.
- User: Can view the activity of assigned clients as follows
- Manager: Has Administrator rights except for access to Staff settings and the ability to edit the account plan.
- Collaborator: May view and edit all clients and activities and may use the “work as” option, which allows them to view and edit activities of all users. Cannot access account settings, online presence, and campaigns
- Marketer: Can access settings and campaigns, view all clients, and perform bulk client operations. They cannot access payments and can view only their conversations, appointments, payments, and documents.
Custom Roles
Using the BusinessRoles API, you can customize existing roles and create new roles to assign users.
Admin & User business roles are system roles and can not be customized.
Overriding permissions (StaffPermissionsOverrideList)
Sometimes, a user holding a specific role requires additional permission assigned to her. This is done using the StaffPermissionsOverrideList endpoint. An entity holding the list of permissions that override the default permissions of the BusinessRole assigned to the staff member. When empty, role defaults are assigned to the user.
When overriding a category permission, all feature permissions are automatically overriden to avoid conflicts
Updated about 2 months ago