Roles & Permissions
Roles & Permissions Matrix (RBAC) for all MASARUK systems
1. Purpose of This Document
This document defines the complete Roles & Permissions model (RBAC) across all MASARUK systems:
- Admin Panel (Super Admin + Admin)
- Provider Portal (Provider Admin + Provider Staff)
- B2C Web
- Mobile App
The matrix ensures consistent authorization across: Node.js Backend (RBAC middleware), Next.js Web (React Query access rules), Flutter Mobile App (feature gating), Admin / Provider dashboards.
2. Role Definitions
SUPER_ADMIN
The highest privileged role. Full access to all modules, settings, financials, providers, users, and platform-wide configuration.
ADMIN
Internal platform admin (but not owner). Manages trips, bookings, financial reports, user support, and approvals — but cannot modify system-wide settings.
PROVIDER_ADMIN
Owner/manager of a tourism company. Can create and manage: Trips, Hotels, Buses, Drivers, Rest stops, Ad campaigns. View bookings related to their own trips only.
PROVIDER_STAFF
Limited access within a provider company. View & edit trips, manage buses/hotels/rest stops (except deletion). Cannot access financial reports or ad campaign billing.
CUSTOMER (END_USER)
B2C user on Web & Mobile. Browse trips, create bookings, pay online, rate completed trips, manage own profile & bookings only.
FINANCE_ADMIN
Responsible for: Financial records, payout statuses, exporting reports.
SUPPORT_AGENT
Customer support role (view-only access to bookings + send messages).
3. Global Permission Categories
| Category | Modules Included |
|---|---|
| Users Management | Users, Providers, Provider Staff |
| Trips Management | Trips, Hotels, Buses, Drivers, Rest Stops |
| Booking Operations | Bookings, Passengers, Cancellations, Messaging |
| Ratings & Reviews | Trip ratings from mobile flow |
| Ad Campaigns | Paid campaigns & payment steps |
| Financial Reports | Sales, commissions, payouts |
| Platform Settings | System config, SMS/email settings |
| Authentication | Login, Signup, JWT Tokens |
4. Permissions Legend
5. Full RBAC Matrix
5.1 User & Provider Management
| Action | SUPER_ADMIN | ADMIN | PROVIDER_ADMIN | PROVIDER_STAFF | CUSTOMER |
|---|---|---|---|---|---|
| View platform users | V C U D | V | - | - | - |
| Manage providers | V C U D A | V U | - | - | - |
| Manage provider staff | V C U D | V U | V C U D* | - | - |
| Edit own profile | - | - | U | U | U |
* only own provider
5.2 Trips Management
| Action | SUPER_ADMIN | ADMIN | PROVIDER_ADMIN | PROVIDER_STAFF | CUSTOMER |
|---|---|---|---|---|---|
| View all trips | V | V | V* | V* | V |
| Create new trip | C | C | C | C | - |
| Update trip | U | U | U | U | - |
| Delete trip | D | D | D | - | - |
| Manage hotels | V C U D | V C U D | V C U D* | V C U | - |
| Manage buses | V C U D | V C U D | V C U D* | V C U | - |
* only own provider's resources
5.3 Bookings & Passengers
| Action | SUPER_ADMIN | ADMIN | PROVIDER_ADMIN | SUPPORT | CUSTOMER |
|---|---|---|---|---|---|
| View all bookings | V | V | V* | V | V** |
| Create booking | X | X | - | - | C |
| Cancel booking | X | X | X* | - | X*** |
| Send message to customer | X | X | - | X | - |
* own trips only | ** own bookings only | *** subject to cancellation policy
5.4 Payments & Financial Records
| Action | SUPER_ADMIN | ADMIN | PROVIDER_ADMIN | FINANCE | CUSTOMER |
|---|---|---|---|---|---|
| View payment transactions | V | V | V* | V | V* |
| Issue refunds | X | X | - | X | - |
| View financial reports | V | V | V* | V | - |
| Export reports | X | X | X* | X | - |
| Update payout status | X | X | - | X | - |
* own records only
5.5 Ad Campaigns
| Action | SUPER_ADMIN | ADMIN | PROVIDER_ADMIN | PROVIDER_STAFF | CUSTOMER |
|---|---|---|---|---|---|
| View campaigns | V | V | V* | V* | - |
| Create campaign | C | C | C | - | - |
| Edit campaign | U | U | U | - | - |
| Pay for campaign | X | X | X | - | - |
* own campaigns only
5.7 Scheduled Dates Management (Slice 9)
SSOT: trips-module.md §12
| Action | SUPER_ADMIN | ADMIN | PROVIDER_ADMIN | PROVIDER_STAFF |
|---|---|---|---|---|
| View scheduled dates | V | V | V* | V* |
| Create single date | C | C | C | C |
| Bulk generate dates | C | C | C | ❌ |
| Edit scheduled date | U | U | U* | U* |
| Delete scheduled date | D | D | D* | ❌ |
| Change to INACTIVE | A | A | A* | ❌ |
| Change to SOLD_OUT | A | A | A* | A* |
| Change to CANCELLED | A | A | A* | ❌ |
PROVIDER_STAFF cannot bulk generate, delete, or cancel. Dates with bookings cannot be deleted/edited (departure_datetime).
6. Cross-Module Permission Notes
6.1 Provider Isolation
Provider Admin / Staff cannot see or manage trips, bookings, or financials belonging to another provider.
This is enforced at the API level via:
- provider_id matching
- scopes in token
- Policy conditions
6.2 Customer Data Protection
Customers cannot:
- Access admin APIs
- View other users' data
- Modify trip or financial data
7. Technical Implementation
// Node.js RBAC Middleware Example
const requireRoles = (...allowedRoles: UserRole[]) => {
return (req, res, next) => {
if (!req.user || !allowedRoles.includes(req.user.role)) {
return res.status(403).json({ error: 'FORBIDDEN' });
}
next();
};
};
// Usage Example
router.post('/trips', authMiddleware, requireRoles(UserRole.PROVIDER_ADMIN), tripsController.create);
// Provider Scope Middleware
const providerScopeMiddleware = (req, res, next) => {
if (req.user.role === 'PROVIDER_ADMIN' || req.user.role === 'PROVIDER_STAFF') {
req.providerScope = req.user.providerId;
}
next();
};