Skip to main content

User Roles & Permissions

Records Rocket employs a robust Role-Based Access Control (RBAC) system to ensure that users can only access the features and data appropriate for their responsibilities. Roles are defined at the application level and enforced by our secure middleware.

Core Roles

Our platform defines the following key roles, as seen in /src/lib/models.ts:

  • user

    • The default role assigned to any new user upon their first login.
    • This role has very limited access, typically restricted to a landing page indicating their access is pending approval. They cannot view or interact with any case data.

  • provider

    • Represents a clinician (e.g., a doctor, surgeon) who performs the Independent Medical Evaluation (IME).
    • Can be assigned to specific cases.
    • Has full access to all documents, timelines, and reporting features for their assigned cases.

  • providerAssistant

    • A support role for staff who assist providers.
    • Can be assigned to cases to help with preparation, such as organizing documents, making initial annotations, and triaging information.
    • Has read and write access to assigned cases but may have restricted access to final report generation or approval steps.

  • tenantAdmin

    • An administrative user for a specific customer organization (tenant).
    • Manages users within their tenant (inviting new users, assigning roles).
    • Can create new cases and assign providers and assistants.
    • Has oversight access to all cases within their tenant.

  • siteAdmin

    • A top-level administrative role for Records Rocket personnel.
    • Manages tenants and has global oversight of the platform.
    • Has access to all data across all tenants for support and administrative purposes.

  • systemAdmin

    • The highest-level role, typically reserved for system developers and engineers.
    • Has unrestricted access to all system functions and data.

Permission Enforcement

Permissions are enforced at multiple levels:

  1. Route-based Middleware (/src/middleware.ts): Protects entire sections of the application. For example, access to the /siteadmin dashboard is restricted to users with SYSTEM_ADMIN_LEVEL_ACCESS.

  2. Data Access Layer (/src/lib/auth/authHelpers.ts): Every request for data (e.g., fetching a case or document) includes a check to ensure the user's role and tenant membership grant them permission to access that specific record.

  3. Case-Specific Permissions (UserCasePermissionRecord): For provider and providerAssistant roles, access is granted on a case-by-case basis through a specific permission record that links a user to a case.