Skip to main content

Default Role Permissions

This document describes the default permission sets for the four standard roles in the InnoQualis EQMS system. These permissions are automatically assigned when roles are created through the seed scripts or database initialization.

Overview​

The system includes four default roles, each with a specific set of permissions designed for their intended use cases:

  • Admin: Full system access with administrative capabilities
  • QA: Quality assurance and compliance oversight
  • User: Basic user access for regular operations
  • External Auditor: Read-only audit access with scoped permissions

Admin Role - Full System Access​

The Admin role has complete access to all system features and administrative functions.

Document Permissions​

  • documents.create - Create new documents
  • documents.read - Read/view documents
  • documents.update - Update existing documents
  • documents.delete - Delete documents
  • documents.approve - Approve documents
  • documents.release - Release documents to production
  • documents.view_versions - View/download document versions

Deviation Permissions​

  • deviations.create - Create deviations
  • deviations.read - Read deviations
  • deviations.update - Update deviations
  • deviations.approve - Approve deviations
  • deviations.close - Close deviations

CAPA Permissions​

  • capa.create - Create CAPA actions
  • capa.read - Read CAPA records
  • capa.update - Update CAPA actions
  • capa.approve - Approve CAPA actions
  • capa.close - Close CAPA records

Training Permissions​

  • training.read - Read training records
  • training.complete - Complete training records
  • training.assign - Assign training to users
  • training.view_reports - View training reports

Audit Permissions​

  • audit.read - Read audits
  • audit.create - Create audits
  • audit.view_trails - View audit trails
  • audit.export_reports - Export audit reports
  • audit.manage_auditors - Invite/allocate auditors

User Management Permissions​

  • users.read - Read/view user accounts
  • users.manage - Manage user accounts
  • roles.manage - Manage roles and permissions

System Permissions​

  • metrics.view_dashboard - View system metrics and analytics
  • system.admin - System administration
  • system.logs - Access system logs
  • notifications.view - View notifications

QA Role - Quality Assurance Access​

The QA role is designed for quality assurance and compliance oversight personnel who need to manage documents, deviations, CAPAs, and training while maintaining audit capabilities.

Document Permissions​

  • documents.create - Create new documents
  • documents.read - Read/view documents
  • documents.update - Update existing documents
  • documents.approve - Approve documents
  • documents.release - Release documents to production
  • documents.view_versions - View/download document versions

Deviation Permissions​

  • deviations.create - Create deviations
  • deviations.read - Read deviations
  • deviations.update - Update deviations
  • deviations.approve - Approve deviations
  • deviations.close - Close deviations

CAPA Permissions​

  • capa.create - Create CAPA actions
  • capa.read - Read CAPA records
  • capa.update - Update CAPA actions
  • capa.approve - Approve CAPA actions
  • capa.close - Close CAPA records

Training Permissions​

  • training.read - Read training records
  • training.complete - Complete training records
  • training.assign - Assign training to users
  • training.view_reports - View training reports

Audit Permissions​

  • audit.read - Read audits
  • audit.create - Create audits
  • audit.view_trails - View audit trails
  • audit.export_reports - Export audit reports
  • audit.manage_auditors - Invite/allocate auditors

User Management Permissions​

  • users.read - Read/view user accounts (required for groups/departments access)

System Permissions​

  • metrics.view_dashboard - View system metrics and analytics
  • system.logs - Access system logs
  • notifications.view - View notifications

Key Differences from Admin​

  • Cannot delete documents - No documents.delete permission
  • Cannot manage users - No users.manage permission
  • Cannot manage roles - No roles.manage permission
  • Cannot access system admin - No system.admin permission

User Role - Basic User Access​

The User role provides basic access for regular users to view documents, report deviations, and complete training.

Document Permissions​

  • documents.read - Read/view documents

Deviation Permissions​

  • deviations.create - Create deviations
  • deviations.read - Read deviations

CAPA Permissions​

  • capa.read - Read CAPA records

Training Permissions​

  • training.complete - Complete training records

System Permissions​

  • notifications.view - View notifications

Key Limitations​

  • Read-only document access - Cannot create, update, approve, or delete documents
  • Cannot manage CAPAs - Can only view CAPA records
  • Cannot assign training - Can only complete assigned training
  • No audit access - Cannot view audit trails or reports
  • No administrative access - Cannot manage users, roles, or system settings

External Auditor Role - Read-Only Audit Access​

The External Auditor role provides read-only access with scoped audit capabilities. This role is designed for external auditors who need to review documents and audit findings but should not have global audit trail access.

Document Permissions​

  • documents.read - Read/view documents

Deviation Permissions​

  • deviations.read - Read deviations

CAPA Permissions​

  • capa.read - Read CAPA records

Training Permissions​

  • training.view_reports - View training reports

Audit Permissions​

  • audit.read - Read audits (scoped via allocations, not global)

System Permissions​

  • notifications.view - View notifications

Important Security Notes​

  • No global audit trail access - Does NOT have audit.view_trails permission
  • Scoped audit access - Can only access audit trails for documents they are allocated to via router-level permissions
  • No export capabilities - Does NOT have audit.export_reports permission to prevent global data leakage
  • Read-only access - Cannot create, update, or delete any records

Custom Roles​

Administrators can create custom roles with custom permission sets through the system settings. Custom roles allow organizations to:

  • Create role-specific permission combinations
  • Assign roles to specific users
  • Tailor access control to organizational needs

When creating custom roles, administrators should consider:

  • Principle of least privilege - Grant only necessary permissions
  • Separation of duties - Ensure critical actions require multiple approvals
  • Audit requirements - Maintain appropriate audit trail access
  • Compliance needs - Ensure roles meet regulatory requirements

Permission Naming Convention​

Permissions follow a consistent naming pattern: {module}.{action}

  • Module: The system module (documents, deviations, capa, training, audit, users, roles, metrics, system, notifications)
  • Action: The specific action (create, read, update, delete, approve, close, assign, complete, etc.)

Examples:

  • documents.create - Create documents
  • deviations.approve - Approve deviations
  • users.manage - Manage user accounts

Updating Default Permissions​

Default role permissions are defined in:

  • backend/seed.py - For seeding new databases
  • backend/init_db.py - For database initialization
  • backend/fix_permissions.py - For updating existing databases

To update permissions for existing roles, run:

docker compose exec backend python fix_permissions.py

This script is idempotent and can be run multiple times safely.