Skip to main content

RBAC (Roles and Permissions)

This page describes the role-based access control model used by EQMS and how it applies across modules.

Roles​

Common roles:

  • Admin: user and role management, elevated permissions
  • QA: approvals, updates, reporting
  • Auditor: read-only access and exports
  • User: limited read and training completion

The backend enforces permissions at API route level. See tests for examples of protected routes and permission boundaries.

Guidance​

  • Prefer least-privilege assignments.
  • Validate role boundaries after changes using a simple test matrix (login, attempt restricted actions, confirm failures where expected).
  • Document any temporary exceptions and review frequently.

User help page for RBAC basics: /user/rbac-basics