Roles and Permissions
User roles in MineSync and what each role can access and modify.
Overview
MineSync uses a role-based access control (RBAC) model. Each user is assigned a role within a tenant through their tenant membership. Roles determine what a user can view, create, edit, and delete.
Roles
MineSync defines four roles:
| Role | Description |
|---|---|
| ADMIN | Full access. Can manage users, configure the system, modify all data, and access admin-only features. |
| PLANNER | Can manage lifecycle profiles, work orders, schedules, and parts. Cannot access admin-level configuration. |
| TECHNICIAN | Can view fleet data, update work orders assigned to them, and log meter readings. Limited write access. |
| VIEWER | Read-only access to all fleet data, dashboards, and reports. Cannot create or modify records. |
Permission Matrix
Fleet Management
| Action | Admin | Planner | Technician | Viewer |
|---|---|---|---|---|
| View vehicles | Yes | Yes | Yes | Yes |
| Create/edit vehicles | Yes | Yes | No | No |
| Delete vehicles | Yes | No | No | No |
| Log meter readings | Yes | Yes | Yes | No |
| View meter readings | Yes | Yes | Yes | Yes |
Work Orders
| Action | Admin | Planner | Technician | Viewer |
|---|---|---|---|---|
| View work orders | Yes | Yes | Yes | Yes |
| Create work orders | Yes | Yes | No | No |
| Edit work orders | Yes | Yes | Assigned only | No |
| Delete work orders | Yes | No | No | No |
| Change work order status | Yes | Yes | Assigned only | No |
Lifecycle Profiles and TCO
| Action | Admin | Planner | Technician | Viewer |
|---|---|---|---|---|
| View profiles | Yes | Yes | Yes | Yes |
| Create/edit profiles | Yes | Yes | No | No |
| Delete profiles | Yes | No | No | No |
| View TCO scenarios | Yes | Yes | Yes | Yes |
| Create/edit TCO scenarios | Yes | Yes | No | No |
Parts and BOM
| Action | Admin | Planner | Technician | Viewer |
|---|---|---|---|---|
| View parts catalog | Yes | Yes | Yes | Yes |
| Manage parts | Yes | Yes | No | No |
| View BOM | Yes | Yes | Yes | Yes |
| Edit BOM | Yes | Yes | No | No |
| View standard jobs | Yes | Yes | Yes | Yes |
| Manage standard jobs | Yes | Yes | No | No |
Benchmark
| Action | Admin | Planner | Technician | Viewer |
|---|---|---|---|---|
| View benchmark data | Yes | Yes | Yes | Yes |
| Create/edit benchmark entries | Yes | No | No | No |
| Delete benchmark entries | Yes | No | No | No |
| Bulk import benchmark data | Yes | No | No | No |
Scheduler
| Action | Admin | Planner | Technician | Viewer |
|---|---|---|---|---|
| View schedules | Yes | Yes | Yes | Yes |
| Create/edit scenarios | Yes | Yes | No | No |
| Manage resources (bays, crews) | Yes | Yes | No | No |
| Approve/reject tasks | Yes | Depends on config | No | No |
AI
| Action | Admin | Planner | Technician | Viewer |
|---|---|---|---|---|
| Use AI chat | Yes | Yes | Yes | Yes |
| View conversation history | Own only | Own only | Own only | Own only |
| Configure AI settings (provider, keys) | Yes | No | No | No |
Administration
| Action | Admin | Planner | Technician | Viewer |
|---|---|---|---|---|
| Manage tenant members | Yes | No | No | No |
| Change member roles | Yes | No | No | No |
| Configure tenant settings | Yes | No | No | No |
| Master data management (OEMs, models, components) | Yes | No | No | No |
| View audit log | Yes | No | No | No |
| Database backup/restore | Yes | No | No | No |
| SQL viewer | Yes | No | No | No |
How Roles Are Assigned
- An admin navigates to Admin > Members.
- The admin invites a user or changes an existing member's role.
- The role is stored in the
tenantMembershipstable linking the user to the tenant.
A user can have different roles in different tenants if they belong to multiple organizations.
How Authorization Works
Server-Side
Every tRPC procedure that requires authentication uses tenantProcedure, which:
- Verifies the user has a valid session.
- Looks up the tenant from the
x-tenant-slugheader. - Confirms the user has a membership in that tenant.
- Attaches
ctx.tenantIdandctx.membership(including role) to the request context.
For role-restricted operations, the requireRole middleware checks the membership role:
tenantProcedure.use(requireRole(["ADMIN"]))If the user's role is not in the allowed list, the server returns a FORBIDDEN error.
Client-Side
The global middleware in src/middleware.ts protects all routes except /login, authentication endpoints, and static assets. Unauthenticated users are redirected to the login page.
Common Questions
Can a user have multiple roles?
Not within the same tenant. Each tenant membership has exactly one role. However, a user can have different roles in different tenants.
Can I create custom roles?
Not currently. The four roles (Admin, Planner, Technician, Viewer) are defined in the application schema. Custom roles would require a schema change.
What happens if I downgrade someone from Admin to Viewer?
They immediately lose access to admin features on their next page load. In-flight operations that were authorized before the change will complete, but subsequent requests will be denied.