- Project access answers whether a person can open a project.
- Permission roles/templates answer what baseline access that person has.
- Module permissions answer what the role can do inside tools such as Budget, Documents, RFIs, or Change Orders.
- Page access answers which permission roles can open a specific page.
- Granular flags and overrides answer whether a sensitive action is allowed for a specific person.
Manage User And Role Access
Use User Management to create users, assign company roles, assign project roles, and manage granular exceptions.Permission Roles And Templates
Permission roles are stored as permission templates. A template sets a baseline access level for each module. Common roles include Admin, Project Manager, Superintendent, and subcontractor/client roles. The actual available role list comes from the permission templates configured in the app. Each module permission uses this hierarchy:- None — no module access.
- Read — view records.
- Write — create and edit records.
- Admin — full module control, including administrative actions where the tool supports them.
Page Access
Use Site Map to review and update page access. The Site Map access table has two different role columns:- Allowed Roles is the explicit page-level allowlist. Updating this column controls which permission roles can open that page.
- Roles That Qualify is a read-only diagnostic. It shows which roles satisfy the current module/level requirement, but it is not the page access control.
Route Requirement Metadata
The older page-access metadata still matters, but it is not the same as the page-role allowlist.app_page_access_policiesstores route requirement metadata such as required access level and required permission module.app_page_role_access_policiesandapp_page_role_access_policy_templatesstore explicit page-to-role access.
Per-User Module Overrides
After applying a template, override specific modules for a user without changing the template:- Open the user’s permission record.
- Select the module (Budget, RFIs, etc.).
- Choose a different access level (None, Read, Write, Admin).
- Save the override.
Capability Flags
Capability flags control sensitive actions independently of module access:- approve_change_orders
- approve_invoices
- bulk_edit_subcontractor_invoice_status
- create_budget_modifications
- create_change_events
- edit_own_ssov
- manage_project_directory
- view_accounting
- view_executive_briefing
- view_private_commitments
API And Data Guardrails
API routes should use the shared project permission helpers, such asverifyProjectAccess and verifyProjectPermission, instead of duplicating
permission checks. Project pages go through the project layout guard, which now
also enforces explicit page-role policies.