DIREKT User Roles and Permissions

Permissions are enforced by the backend and reflected in the clients. Hidden UI is not authorization.

Core principles

  • deny by default;
  • roles are scoped to an organization/provider where applicable;
  • privileged operations require stronger authentication;
  • evidence access is purpose-limited and audited;
  • no role may approve its own submitted evidence;
  • finance staff cannot alter verification;
  • field agents cannot grant final approval unless policy explicitly assigns a limited check;
  • auditors are read-only.

Permission matrix

Capability Customer Provider owner Provider member Field agent Reviewer Support Trust supervisor Finance Admin
Search public providers
Create enquiry ✓ as customer ✓ as customer
Manage own provider profile scoped emergency only
Submit provider evidence scoped visit only emergency only
View provider-private evidence own submissions own submissions assigned visit subset assigned cases limited metadata escalated cases controlled
Decide verification check structured visit outcome only override/appeal controlled
Assign field visit ✓/lead
Manage support ticket own own own own limited billing only
Moderate review own report response only response only limited
Suspend provider recommend recommend emergency
View payment ledger own receipts provider receipts scoped limited
Change plans/prices recommend
Manage roles provider members limited operations roles limited
Export data own own provider scoped case-limited ticket-limited controlled financial controlled

Provider roles

Provider owner

  • legal/primary controller;
  • can invite/remove members;
  • can submit declarations;
  • cannot erase audit history;
  • sensitive owner change triggers re-verification.

Provider manager

  • manages profile, service areas, enquiries and evidence according to grant;
  • cannot transfer ownership;
  • cannot view unrelated private owner identity fields.

Provider responder

  • handles enquiries and public responses;
  • cannot change trust evidence or commercial ownership.

Operations separation of duties

  • Reviewer submits a decision.
  • High-risk approvals, overrides or reinstatements may require a supervisor.
  • Finance can reconcile payment but cannot edit check outcomes.
  • Support can gather information but cannot silently change trust state.
  • Admin emergency actions require reason, audit event and retrospective review.

Permission implementation requirements

  • central permission policy in backend;
  • provider/tenant scope in every protected query;
  • object-level authorization;
  • automated allow and deny tests;
  • short-lived evidence URLs;
  • permission change invalidates relevant sessions or caches;
  • no privilege derived from mutable client claims alone.