Permissions System
The system uses a flexible permissions model (RBAC) that allows precise definition of what each user (Gabbai/Administrator) can do. Permissions are enforced at the server level (Guards) and at the interface level (UI).
Permissions List (Permission Enum)
Source:
src/common/enums/permission.enum.ts— 17 permissions total.
| Permission ID | Value | Description |
|---|---|---|
MANAGE_USERS | manage_users | Create, edit and delete users. Assign roles. |
MANAGE_DEVICES | manage_devices | Add devices, change settings, view status. |
MANAGE_CONTENT | manage_content | Edit prayer times, messages, shiurim, Torah readings. |
MANAGE_ALERTS | manage_alerts | Configure alert rules and smart alert thresholds. |
MANAGE_REMOTE_CONTROL | manage_remote_control | Send commands to devices, reboot, screenshot, streaming. |
MANAGE_REPORTS | manage_reports | Access reports, statistics, and advanced analytics. |
MANAGE_NOTIFICATIONS | manage_notifications | Configure push notification channels. |
MANAGE_WHATSAPP | manage_whatsapp | WhatsApp messaging, auto-response rules, contact aliases. |
MANAGE_EMAIL_CONFIG | manage_email_config | SMTP configuration for email notifications. |
MANAGE_SMS_CONFIG | manage_sms_config | SMS provider configuration (Twilio/AWS SNS). |
MANAGE_SYSTEM | manage_system | Super permission (Admin) for core settings and maintenance. |
SYSTEM_CONFIG_READ | system_config_read | Read-only access to system configuration. |
SYSTEM_CONFIG_WRITE | system_config_write | Modify system configuration, backups, cleanup settings. |
VIEW_DASHBOARD | view_dashboard | Basic access to home dashboard. |
VIEW_ANALYTICS | view_analytics | Access to advanced charts, BI, and usage data. |
VIEW_SYSTEM_HEALTH | view_system_health | View system health checks, service status, incidents. |
VIEW_SYSTEM_METRICS | view_system_metrics | View telemetry data, performance metrics, device stats. |
Implementation in Code
Permissions are checked using the @Permissions decorator above the controller or function:
@Controller('users')
@Permissions(Permission.MANAGE_USERS) // Requires permission for all functions in controller
export class UsersController { ... }
Roles
The system supports built-in roles that aggregate multiple permissions:
- Admin (Super Administrator): Has all permissions. Can perform Impersonation (impersonate) other users.
- User (Gabbai): Manages only their synagogue.
MANAGE_CONTENT,MANAGE_DEVICESpermissions are limited to their Tenant. - Viewer (Observer): View-only permissions (for example for audit committee).
Technical Note
In the database, the role is saved in the role field in the User model, and specific permissions in a linked table (if there's a deviation from the role).