RBAC & Permissions
Effective March 1, 2026
DecisionHost enforces role-based access control (RBAC) across the entire platform. Every API request and UI action is checked against the authenticated user's assigned permissions before execution. This document describes the permission model, default roles, and customization options available to tenant administrators.
1. Permission Model
Permissions follow a category:action format (e.g., scenarios:view, decisions:approve). Each permission grants access to a specific operation within a resource category. Permissions are additive — a user can perform an action only if at least one of their assigned roles includes the required permission.
Enforcement occurs at two layers:
- API middleware: Every request is validated against the caller's permission set before reaching business logic
- Row-Level Security (RLS): Database queries are scoped to the user's tenant and, where applicable, ownership or approval status
2. Permission Categories
The platform defines 49 permissions across 9 categories:
Scenarios (8 permissions)
scenarios:view— View all scenarios in the tenantscenarios:view_own— View only scenarios you createdscenarios:view_approved— View only approved scenariosscenarios:create— Create new scenariosscenarios:edit— Edit existing scenariosscenarios:delete— Delete scenariosscenarios:share— Share scenarios with other users or externallyscenarios:run— Execute scenario model runs
Templates (4 permissions)
templates:view— View available templatestemplates:create— Create new templatestemplates:edit— Edit existing templatestemplates:delete— Delete templates
KPIs (7 permissions)
kpis:view— View KPI definitions and valueskpis:create— Create new KPIskpis:edit— Edit KPI definitionskpis:delete— Delete KPIskpis:manage_alerts— Configure KPI alert thresholds and notificationskpis:manage_dashboards— Manage KPI dashboard layoutskpis:export— Export KPI data
Decisions (14 permissions)
decisions:view— View all decisions in the tenantdecisions:view_own— View only decisions you createddecisions:view_approved— View only approved decisionsdecisions:create— Create new decision recordsdecisions:edit— Edit decision detailsdecisions:delete— Delete decisionsdecisions:submit— Submit decisions for approvaldecisions:approve— Approve decisions at standard leveldecisions:approve_final— Grant final approval on decisionsdecisions:override— Override approval workflowsdecisions:escalate— Escalate decisions to higher authoritydecisions:manage_workflows— Configure approval workflowsdecisions:export— Export decision datadecisions:record_outcomes— Record real-world outcomes against decisions
Teams (4 permissions)
teams:view— View team membership and structureteams:create— Create new teamsteams:edit— Edit team membership and settingsteams:delete— Delete teams
Plugins (3 permissions)
plugins:view— View available decision model pluginsplugins:execute— Execute plugin model runsplugins:manage— Install, update, and remove plugins
Administration (5 permissions)
admin:users— Manage user accounts (invite, deactivate, assign roles)admin:roles— Create and manage custom rolesadmin:settings— Manage tenant-level settingsadmin:billing— View and manage billing and subscriptionsadmin:audit— Access administrative audit functions
Audit (2 permissions)
audit:view— View audit logs and compliance recordsaudit:export— Export audit log data
Dashboards (2 permissions)
dashboards:view— View standard dashboards and reportsdashboards:view_executive— View executive-level dashboards
3. Default Roles
Every tenant starts with six built-in roles. These roles cannot be deleted but their permissions can be viewed for reference when creating custom roles.
Administrator
Full system access. Manages users, roles, settings, billing, and all platform features. Holds all 49 permissions.
Executive
Strategic decision authority. Has full scenario, template, KPI, and decision access including final approval and override capabilities. Can manage teams and view audit logs. Does not have user management or billing permissions.
Decision Approver
Tactical approval authority. Can view scenarios, approve standard decisions, escalate to executives, and export data. Cannot create or edit templates, delete resources, or grant final approvals.
Decision Analyst
Creates and prepares decision scenarios. Has full edit access to scenarios and templates, can create KPIs and manage alerts, and submits decisions for approval. Cannot approve or override decisions.
Auditor
Compliance and audit access. Read-only access to all scenarios, decisions, KPIs, and full audit log access with export. Cannot create, edit, or delete any resources.
Viewer
Stakeholder access. Can view only approved scenarios and decisions, browse templates, view KPIs, and access standard dashboards. The most restricted default role.
4. Custom Roles
Tenant administrators with the admin:roles permission can create custom roles with any subset of the 49 available permissions. Custom roles are useful for:
- Department-specific access (e.g., HR analysts who can only view HR-related models)
- Contractor or external consultant access with limited scope
- Separation of duties required by compliance frameworks (SOX, SOC 2, etc.)
- Temporary elevated access for specific projects
5. Role Assignment
Users can be assigned one or more roles. When a user holds multiple roles, their effective permission set is the union of all permissions from all assigned roles. Role assignments are tracked in the audit log for compliance purposes.
6. Audit and Compliance
All permission checks, role changes, and access control events are recorded in immutable audit logs (protected by S3 Object Lock). Audit log retention varies by plan tier: 30 days for Starter, 180 days for Professional, and custom retention for Enterprise customers.
7. Contact
For questions about access control or to request Enterprise RBAC features, contact us at security@decisionledgerai.com.