🏠 Overview 🎯 Features 🎯 Role-Based Access Control

Role-Based Access Control

Feature Detail

high complexity extracted Authentication & Access Control Confidence: 100%
3
Components
4
Shared
0
User Stories
Yes
Analyzed

Description

Role-based access control enforces which screens, API endpoints, and platform capabilities each user type can access across the mobile app and admin portal. The system defines four roles - Peer Mentor, Coordinator, Organization Admin, and Global Admin - each with distinct access boundaries and home surfaces. On mobile, Organization Admins surface as Coordinators. Global Admins are redirected to a no-access screen on mobile and may only access an organisation's operational data via a time-bounded, audited support access grant.

Sources & reasoning

Line 322 places the two mobile role profiles explicitly in Phase 1 / MVP scope. Lines 254-259 define all four roles with their access boundaries. RBAC is prerequisite to every other feature - without it, sessions have no access scope. Blueprint confirms MVP. Phase 1 = MVP by ordinal mapping.

  • docs/source/likeperson.md · line 254-256
    4 defined user roles: Peer Mentor (Likeperson): Creates and tracks activities and follow-ups. Logs in to the Mobile App only.
  • docs/source/likeperson.md · line 322
    2 mobilrolle-profiler: Peer Mentor, Coordinator (Organization Admins logger på som Coordinator i app-konteksten)

Analysis

Business Value

Without role enforcement, any authenticated user could access another organisation's data, approve their own expense claims, or trigger Bufdir exports - all of which would be security and compliance failures. RBAC is the mechanism that implements the strict tenant isolation and access boundaries described throughout the source document. The time-bounded Global Admin support access grant addresses a real operational need (Norse staff may need to investigate production issues) while satisfying the audit and privacy requirements of the partner organisations. Correct role enforcement from day one is non-negotiable: the platform handles personal health information, financial reimbursements, and encrypted sensitive assignments.

Implementation Notes

Roles and organisation memberships are stored in user_roles and user_organization_memberships tables. The Authentication Module attaches a generic claims bag (role, org membership) to access tokens without encoding product-specific semantics; the consuming products perform actual authorization checks. RoleGuardMiddleware on the backend validates role and org scope before executing any module endpoint. On mobile, the module registry reads the enabled module set and role from the bootstrap response to build the correct navigation surface at runtime. The support_access_grants table implements time-bounded Global Admin access with automatic expiry and an audit log entry written on every support session.

Components (7)

User Interface (1)

ui NoAccessScreen medium

Service Layer (1)

service RoleGuardMiddleware medium

Data Layer (1)

data UserRoleRepository medium

Shared Components

These components are reused across multiple features

User Stories

No user stories have been generated for this feature yet.