Roles & Permissions
Understanding role-based access control in NIP.
Overview
NIP uses Role-Based Access Control (RBAC) to determine what each user can see and do. Every user has one or more roles, and each role has a set of permissions.
This page is a reference — use it whenever another doc says "only admins can do X" and you want to confirm exactly which role is required. Roles are assigned in User Management.
Roles and permissions are stored in the database (
roles,permissions,role_permissions,user_roles) and can be customised by a Super Admin. The roles below are the default seeded roles — your deployment may have additional custom roles.
Roles
Super Admin
The highest-privilege role with full access to every module.
- Manage all users, roles, and teams
- View and edit all project requests regardless of team
- Access all settings
- View audit logs
- Assign teams to requests
Organization Admin
Manages the organization and its users.
- Create and manage users
- Assign roles and teams
- View all project requests
- Manage department and focus area settings
- Cannot modify Super Admin accounts
Department Head
Leads a specific department team.
- View requests assigned to their team(s)
- Make team decisions on workflow steps
- Manage team-level tasks
- View department dashboard
- Cannot access user management or system settings
Member
Standard team member.
- View requests assigned to their team
- Complete assigned workflow tasks
- Update own profile
- Cannot manage other users or system settings
Permission Categories
Permissions are grouped by module:
Request Permissions
| Permission | Description |
|---|---|
request:create | Create new project requests |
request:read | View project requests |
request:update | Edit project requests |
request:delete | Delete (soft-delete) project requests |
request:assign | Assign requests to teams |
request:bulk_upload | Upload requests in bulk |
User Permissions
| Permission | Description |
|---|---|
user:create | Create new user accounts |
user:read | View user profiles |
user:update | Edit user accounts |
user:delete | Deactivate/delete users |
user:assign_role | Assign roles to users |
Team Permissions
| Permission | Description |
|---|---|
team:create | Create new teams |
team:read | View team information |
team:update | Edit team details |
team:delete | Remove teams |
team:manage_members | Add/remove team members |
Settings Permissions
| Permission | Description |
|---|---|
settings:read | View settings |
settings:update | Modify settings |
Workflow Permissions
| Permission | Description |
|---|---|
workflow:read | View workflow steps |
workflow:update | Update workflow progress |
workflow:manage | Manage workflow configuration |
Role–Permission Matrix
| Permission | Super Admin | Org Admin | Dept Head | Member |
|---|---|---|---|---|
| request:create | ✅ | ✅ | ✅ | ✅ |
| request:read | ✅ | ✅ | ✅ | ✅ |
| request:update | ✅ | ✅ | ✅ | ❌ |
| request:delete | ✅ | ✅ | ❌ | ❌ |
| request:assign | ✅ | ✅ | ❌ | ❌ |
| user:create | ✅ | ✅ | ❌ | ❌ |
| user:read | ✅ | ✅ | ✅ | ❌ |
| user:update | ✅ | ✅ | ❌ | ❌ |
| team:manage_members | ✅ | ✅ | ❌ | ❌ |
| settings:update | ✅ | ✅ | ❌ | ❌ |
| workflow:manage | ✅ | ✅ | ✅ | ❌ |
How Permissions Are Enforced
- API routes check the user's session and role before processing requests.
- UI components conditionally render buttons and actions based on the user's permissions.
- Middleware verifies authentication on every protected route.
If you attempt to access a feature you don't have permission for, you'll see a 403 Forbidden error.