Permissions matrix¶
Every built-in role and what it can do. A ✅ means "has the permission", — means "does not have it".
Role scope
Every role except PegotecUser is scoped to a single company (their own tenant). PegotecUser is the only role that sees data across multiple companies.
Capabilities¶
| Capability | Technician | Mapper | Supervisor | Manager | Admin | Viewer | PegotecUser |
|---|---|---|---|---|---|---|---|
| Dashboard | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
| View dashboard | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
| Tasks | |||||||
| View tasks | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
| Create tasks | — | ✅ | — | — | ✅ | — | ✅ |
| Edit tasks | — | ✅ | — | — | ✅ | — | ✅ |
| Delete tasks | — | ✅ | — | — | ✅ | — | ✅ |
| Assign tasks | — | ✅ | ✅ | — | ✅ | — | ✅ |
| Approve / reject tasks | — | ✅ | — | — | ✅ | — | ✅ |
| Execute tasks (mobile) | ✅ | ✅ | — | — | ✅ | — | ✅ |
| Asset hierarchy | |||||||
| View hierarchy | — | ✅ | ✅ | — | ✅ | ✅ | ✅ |
| Create / edit hierarchy | — | ✅ | — | — | ✅ | — | ✅ |
| Delete hierarchy | — | ✅ | — | — | ✅ | — | ✅ |
| Components | |||||||
| View components | — | ✅ | — | — | ✅ | ✅ | ✅ |
| Create / edit / delete | — | ✅ | — | — | ✅ | — | ✅ |
| Scheduling | |||||||
| View schedules | — | ✅ | ✅ | — | ✅ | ✅ | ✅ |
| Create / edit / delete | — | ✅ | — | — | ✅ | — | ✅ |
| Safety procedures | |||||||
| View safety | — | ✅ | ✅ | — | ✅ | ✅ | ✅ |
| Create / edit / delete | — | ✅ | — | — | ✅ | — | ✅ |
| Reports | |||||||
| View reports | — | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
| Export reports | — | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
| Settings | |||||||
| View settings | — | ✅ | — | — | ✅ | ✅ | ✅ |
| Edit settings | — | — | — | — | ✅ | — | ✅ |
| Users and roles | |||||||
| View users | — | ✅ | — | — | ✅ | — | ✅ |
| Create / edit / delete users | — | ✅ | — | — | ✅ | — | ✅ |
| View roles | — | ✅ | — | — | ✅ | — | ✅ |
| Create / edit / delete roles | — | — | — | — | ✅ | — | ✅ |
| Companies | |||||||
| Manage companies | — | — | — | — | — | — | ✅ |
| Mobile features | |||||||
| NFC scan | — | ✅ | ✅ | — | ✅ | — | ✅ |
| NFC write | — | ✅ | — | — | ✅ | — | ✅ |
| QR / barcode scan | ✅ | ✅ | ✅ | — | ✅ | — | ✅ |
| Execute task | ✅ | ✅ | — | — | ✅ | — | ✅ |
| Submit repair request | ✅ | ✅ | — | — | ✅ | — | ✅ |
| Report shutdown | ✅ | ✅ | — | — | ✅ | — | ✅ |
| Create hierarchy on mobile | — | ✅ | — | — | ✅ | — | ✅ |
| Cross-tenant | |||||||
| Switch active company | — | — | — | — | — | — | ✅ |
Notes on specific roles¶
Technician¶
Intentionally minimal on the web — technicians see a dashboard and their own tasks read-only. Everything productive happens in the mobile app.
Mapper¶
Has both data-modeling authority (full CRUD on hierarchy, components, safety, schedules) and user-management authority within the company. This is deliberate: a mapper usually also sets up the team structure during an installation's initial commissioning.
Supervisor¶
Read-mostly except for the two write privileges that define the role: assign and approve/reject tasks.
Manager¶
Designed purely for consumption. No create/edit/delete anywhere. If you need a dashboard-only user who's allowed to click into a task to read its details, this is the role.
Admin¶
The only role with the settings.edit permission. Acts as the tenant owner within a customer company.
Viewer¶
The strictest read-only role. No mobile access at all.
PegotecUser¶
The only role with manage-companies and the only role that can switch tenant context via the X-Company-ID header. Everything else looks like Admin.
Multiple roles¶
A user can hold more than one role. Their effective permission set is the union of all assigned roles. There's no subtraction or priority ordering — more roles mean more access.
Changing permissions per role¶
Admins can create custom roles with any combination of the 40+ underlying permissions on the Roles page in the web portal. The seven roles above are the built-in defaults, pre-seeded on installation.