Use this admin guide to understand and maintain role-based access across UtopiaSpace. It is not a separate workspace page; it explains how admins should assign roles, review permissions, protect sensitive data, and keep access aligned with each user's actual responsibility.
Choose the role that matches the user's job responsibility and required workspace access.
Review what users can view, create, edit, approve, reject, process, debug, and manage.
Protect HR, finance, operational, admin, and technical data through scoped access.
Role
A role represents a user's responsibility in the organisation and controls which spaces or workflows they can access.
Permission
A permission defines an action a user can perform, such as view, create, edit, approve, reject, process, export, debug, or manage.
Scope
Scope limits access by company, branch, department, team, reporting line, assigned handler, or system-level authority.
RBAC
Role-Based Access Control is the system rule that checks whether a user can access a page, record, action, or data set.
Admin Access
Admin users have full access across spaces and records based on system-level permission, but admin access should still be granted carefully.
Admin
Full system-level access for user management, settings, configuration, role assignment, and cross-space oversight.
Reader
Read-only wiki or documentation access where users only need to view guides and information.
HR
Employee records, leave, attendance, overtime, HR requests, incident reports, improvement suggestions, and announcement management.
Manager
Team-level approvals, pending submissions, petty cash overview, feedback or incident review, and team workflow monitoring.
Director
Director-level approvals, higher-level review, company or department oversight, and escalated submission decisions.
Supervisor
Supervisor-level approvals, team submissions, operational review, and reporting employee workflows.
Account
Finance workflows including supplier payments, claims, backcharges, AP workspace, petty cash, payment processing, and finance review.
Credit
Rental Tracker access for rental accounts, payment status, overdue customers, collections, and repayment monitoring.
OE
Operation Attendance Record access for operational attendance, clock-in and clock-out data, attendance status, and workforce monitoring.
Indoor
Scaffolding access, including Delivery Order Printer workflows for scaffolding delivery orders, print preview, PDF generation, and reprint.
Developer
Technical operation access, including Supabase Usage, Server Monitoring, system health, and authorised debugging support.
View
Allows users to see records, dashboards, reports, tables, lists, details, or documentation.
Create
Allows users to submit new requests, forms, records, tickets, announcements, or operational entries.
Edit
Allows users to update existing records while respecting record status and scope rules.
Approve or Reject
Allows authorised users to make workflow decisions, usually with remarks or rejection reason where applicable.
Process
Allows users to move approved records into account, payment, HR, operational, or admin processing.
Export or Print
Allows users to generate PDF, export records, print delivery orders, or download operational documents.
Debug
Allows technical or IT users to inspect records for troubleshooting without granting unnecessary workflow control.
Manage
Allows users to configure users, roles, settings, references, or administrative records where authorised.
Company Scope
Limits records and actions to a user's company or authorised companies.
Branch Scope
Limits data by branch where workflows are branch-specific.
Department Scope
Restricts HR, attendance, approval, and operational records to an authorised department.
Team or Reporting Scope
Limits Manager and Supervisor access to reporting employees or assigned team records.
Role Scope
Restricts features by role, such as Credit seeing Rental Tracker only or OE seeing Operation Attendance Record.
Assigned Handler Scope
Restricts incident, suggestion, or workflow records to assigned reviewers or handlers where applicable.
Job Responsibility
Does the selected role match the user's actual duties?
Required Workspace
Does the user need access to this space or only documentation guidance?
Sensitive Data
Will the role expose HR, finance, payroll, technical, or personal employee data?
Approval Authority
Should the user approve or reject records, or only view and prepare them?
Processing Authority
Should the user process payments, publish announcements, export records, or print documents?
Temporary Access
If access is temporary, set a review reminder and remove it when no longer needed.
Role Assignment
Validate selected role, confirm admin authority, update role or permission fields, refresh access, and log the change if applicable.
Permission Denied
If the user does not have the required role or scope, the system blocks or redirects access.
Workspace Visibility
Navigation should show only spaces and workflows the user is authorised to access.
Record Visibility
Data queries should respect role, company, branch, department, team, assigned handler, and admin scope rules.
Debugging Access
IT or Developer debugging access should be limited to troubleshooting needs and reviewed after the issue is resolved.
Audit Trail
Important role and permission changes should be traceable through update metadata or audit logs where available.
The access rules below were moved from individual workspace and feature pages so role guidance stays in one place.
Employee
No access.
Supervisor
No access.
Manager
No access.
Director
Full access.
HR
No access.
Finance / Account
Full access.
Developer
No access.
Admin
Full access.
Role visibility: Most roles can read announcements, but only a smaller set of users should manage publication.
Employee
View announcements.
Supervisor
View announcements.
Manager
View announcements.
Director
Full access.
HR
Create, edit, and publish announcements.
Finance / Account
View announcements.
Developer
Create, edit, and publish announcements.
Admin
View announcements.
Google Sign-In
Users access UtopiaSpace using their official company Google account.
Supabase Authentication
Manages sessions and helps connect logged-in users to profile and access data.
Roles and Permissions
Determine whether a user can view, create, edit, approve, reject, process, or debug specific records.
Row Level Security
Protects data at database level so sensitive rows are only available to authorised users.
Policy Metadata
Supports rule-driven access decisions and helps keep access behaviour consistent across modules.
Employee
View calendar records.
Supervisor
View calendar records.
Manager
View calendar records.
Director
Full access.
HR
Create, edit, and manage calendar records.
Finance / Account
View calendar records.
Developer
Create, edit, and manage calendar records.
Admin
View calendar records.
Credit Role Required
System verifies the user through RBAC before Credit Space is displayed.
Unauthorised Access
If the user is not Credit or authorised credit personnel, access is blocked or redirected.
Scoped Records
Rental records are filtered by Credit user permission scope, company or branch where applicable, rental status, customer or tenant, and date range.
Admin Access
Admin users have full access to Credit Space and related rental records based on system-level permission.
Developer Role Required
System verifies the user through RBAC before Developer Space is displayed.
Unauthorised Access
If the user is not Developer or authorised technical personnel, access is blocked or redirected.
Module Permission
System checks Developer permission before showing Supabase usage data or server monitoring data.
Admin Access
Admin users have full access to Developer Space and technical monitoring modules based on system-level permission.
Employee
No access.
Supervisor
No access.
Manager
No access.
Director
Full access.
HR
No access.
Finance / Account
No access.
Developer
Full access.
Admin
Full access.
Employee
No access.
Supervisor
No access.
Manager
No access.
Director
No access.
HR
Full access.
Finance / Account
No access.
Developer
No access.
Admin
Full access.
Source page: Improvement Suggestion
Employee
Create and submit improvement suggestions.
Supervisor
Create suggestions and review team-related suggestions where assigned.
Manager
Review submitted suggestions, validate next steps, and follow up on ideas connected to their area.
Director
Review higher-level suggestions and monitor improvement ideas that affect wider operations.
HR
Review workplace, office, staff experience, and process improvement suggestions where relevant.
Developer
Review system, workflow, or automation suggestions that require technical changes.
Admin
Manage access and support suggestion review where needed.
Employee
Create and submit incident reports.
Supervisor
Create and submit incident reports; review reports where assigned by workflow.
Manager
Create, review, and follow up on incident reports connected to their area.
Director
Review incident reports and monitor higher-level operational issues.
HR
Review staff-related incidents and support follow-up action where needed.
Finance / Account
Review incidents connected to finance, orders, or account-related cases where relevant.
Developer
Review system issue reports and investigate technical problems.
Admin
Manage incident report access and support report review where needed.
Indoor Role Required
System verifies the user through RBAC before Indoor Space is displayed.
Unauthorised Access
If the user is not Indoor or authorised indoor personnel, access is blocked or redirected.
Scaffolding Scope
System verifies the user's permission before showing scaffolding records and Delivery Order Printer data.
Delivery Order Scope
Delivery orders are filtered by Indoor user permission scope, company or branch where applicable, customer or project, delivery order status, and date range.
Admin Access
Admin users have full access to Indoor Space, Scaffolding, and Delivery Order Printer based on system-level permission.
Employee
No access.
Supervisor
No access.
Manager
Full access.
Director
Full access.
HR
No access.
Finance / Account
No access.
Developer
No access.
Admin
Full access.
Employee
Create, edit, and view meeting notes.
Supervisor
Create, edit, and view meeting notes.
Manager
Create, edit, and view meeting notes.
Director
Full access to all meeting notes.
HR
Create, edit, and view meeting notes.
Finance / Account
Create, edit, and view meeting notes.
Developer
Create, edit, and view meeting notes.
Admin
Create, edit, and view meeting notes.
OE Role Required
System verifies the user through RBAC before OE Space is displayed.
Unauthorised Access
If the user is not OE or authorised Operation Executive personnel, access is blocked or redirected.
Scoped Records
Attendance records are filtered by OE user permission scope, company or branch where applicable, department or operation team, attendance date range, and attendance status.
Admin Access
Admin users have full access to OE Space and operation attendance records based on system-level permission.
Employee
No access.
Supervisor
Full access.
Manager
No access.
Director
Full access.
HR
No access.
Finance / Account
No access.
Developer
No access.
Admin
Full access.
Employee
Create, view, and update tasks.
Supervisor
Create, view, and update tasks.
Manager
Create, view, and update tasks.
Director
Full access.
HR
Create, view, and update tasks.
Finance / Account
Create, view, and update tasks.
Developer
Create, view, and update tasks.
Admin
Full access.