Authorization, groups and rights
Introduction
Wogeez is a secure platform that requires appropriate user authorization to access various features and functionalities.
Wogeez uses a role-based access control (RBAC) mechanism to manage user rights. Each user is assigned to one or multiple groups, which determine their access level to different features within the application. While assigning a specific right to a user is possible, it is more complex to manage over time. Therefore, we recommend the use of groups for better scalability and maintainability.
If a user has broader rights on a parent company, those rights will take precedence over those assigned to subsidiary companies. We recommend always fine-tuning rights according to the least privilege principle (no default rights policy) and assigning groups and user-specific rights directly on subsidiary companies.
Groups
Below is a breakdown of the different groups and their respective permissions:
Owner
- The owner of the company
- Each user creating an account owns their own company and will be designated as the owner
- The owner has full access to all functionalities within the company
Warning
The owner has full access to all functionalities within the company It is not recommended to use the owner account for daily operations. Instead, it is advised to create a personal account with fewer permissions to avoid security risks
Company manager
- Can add or remove users from the company
- Can modify user roles within the company
Resource manager
- Can manage resources such as equipment, kiosks, etc.
Default
- The group where users are placed upon invitation
- It is the responsibility of owner or company manager to configure the appropriate accreditation level for each user
Rights by groups
| Group | Technical group name (for API) | Rights | Technical rights names (for API) |
|---|---|---|---|
| OWNER | * (all) | ||
| Company manager | COMPANY_MANAGER | Can customize a company (white-labeling settings) | CAN_PATCH_COMPANY |
| Company manager | COMPANY_MANAGER | Can invite user to company | CAN_INVITE_USER_TO_COMPANY |
| Company manager | COMPANY_MANAGER | Can remove user from company | CAN_REMOVE_USER_TO_COMPANY |
| Resource manager | RESOURCE_MANAGER | Can read and list resources | CAN_READ_RESOURCE |
| Resource manager | RESOURCE_MANAGER | Can create resource | CAN_CREATE_RESOURCE |
| Resource manager | RESOURCE_MANAGER | Can change resource | CAN_PATCH_RESOURCE |
| Resource manager | RESOURCE_MANAGER | Can delete resource | CAN_DELETE_RESOURCE |
| Default | DEFAULT | - | - |
Privacy
All user actions and permissions are logged to ensure accountability. Users can request to review or modify their access levels within the compliance of Wogeez security policies.