Permissions Reference

This document explains how permissions work in StationOne and provides detailed reference matrices showing what each role can do.

Understanding the Permission System

StationOne uses a two-layer permission model:

1. Role — determines the user’s administrative level and unit scope
2. Feature Permissions — extend a brigade user’s access to specific areas beyond the base role

Permission Hierarchy

Roles flow from most restrictive to least restrictive:

Brigade User → Brigade Admin → Group Admin → District Admin → Region Admin → Organisation Admin → Super Admin

Higher-level roles inherit all capabilities of lower roles plus additional permissions.

Scope Hierarchy

The unit hierarchy defines what data users can access:

Brigade → Group → District → Region → Organisation

Admins at higher levels can see and manage data from all descendant units.

---

User Roles

Brigade User (Member)

Scope: Single brigade only

Basic operational member. A brigade user’s access to specific features is controlled by feature permissions — either granted directly on their profile or via an active appointment. Without any feature permissions, a brigade user has minimal read access only.

Base access (no feature permissions required):

• View and update their own profile
• View members in their brigade
• View and consume stock items
• Receive and respond to assigned actions

Additional access via feature permissions:

• View vehicles, equipment, BA, hydrants, hoses, water points, pre-plans
• Create and conduct inspections
• Create and manage stock, equipment, vehicles, or other resources
• Access training records and events
• Make vehicle or room booking requests

See Feature Permissions below for the full list.

Use for: Operational members who need platform access but not full administrative control. Use appointments to grant them the specific capabilities their role requires.

Brigade Admin

Scope: Single brigade only

Full administrative access for brigade-level management. Brigade admins do not require feature permissions — they have unrestricted access to all features within their brigade.

Can do everything Brigade Users can, plus:

• Create and edit members in their brigade
• Award qualifications and endorsements
• Endorse members on vehicles
• Create and manage vehicles, equipment, and stock
• Create and assign inspections; approve/reject inspection reviews
• Manage action items for their brigade
• Create and manage events and training
• Configure public access for brigade resources
• Assign appointments to members

Cannot:

• Delete vehicles permanently (organisation admin required)
• Access members or resources from other brigades
• Create or modify inspection templates
• Create inspection schedules
• Access organisation-wide settings

Use for: Brigade officers, captains, and lieutenants managing daily brigade operations.

Group Admin

Scope: Group and all brigades within the group

Can do everything Brigade Admins can, plus:

• View and manage all brigades in their group
• View and manage members, vehicles, and equipment across all group brigades
• View inspections and manage actions across the group

Use for: Group officers managing multiple brigades.

District Admin

Scope: District and all groups/brigades within the district

Can do everything Group Admins can, plus:

• View and manage all groups and brigades in their district
• District-wide reporting and oversight

Use for: District officers overseeing multiple groups.

Region Admin

Scope: Region and all districts/groups/brigades within the region

Can do everything District Admins can, plus:

• View and manage all districts, groups, and brigades in their region
• Regional reporting and oversight

Use for: Regional officers overseeing multiple districts.

Organisation Admin

Scope: Entire organisation

Can do everything Region Admins can, plus:

• Create and manage all units (brigades, groups, districts, regions)
• Create and manage inspection templates and schedules
• Create and configure qualification and endorsement types
• Create and manage appointment types
• Configure organisation-wide settings
• Delete vehicles permanently and move them between units
• Full reporting across the organisation

Use for: Organisation leadership and administrators managing the entire organisation.

Super Admin

Scope: System-wide (all organisations)

Can do everything Organisation Admins can, plus:

• Access all organisations
• Create and manage organisations
• Configure system settings

Use for: Platform administrators and system operators only.

---

Feature Permissions

Feature permissions extend what a brigade_user can access beyond their base role. They are granted either:

• Directly on a member’s profile (permanent)
• Via an appointment (active only while the appointment is current)

Brigade admins and above always have full access within their scope and are not affected by feature permissions.

Available Feature Permissions

Feature	Permission	What it grants
Vehicles	view	View vehicles and fleet details
	manage	Create and edit vehicles
Events	view	View events
	create	Create and edit events
	manage_attendance	Manage event attendance
Bookings	view	View vehicle and room bookings
	create	Submit booking requests
	approve	Approve and reject booking requests
Inspections	view	View inspections
	create	Create and conduct inspections
	approve	Approve and review inspections
	manage_templates	Create and edit inspection templates
Training & Skills	view	View training records
	create	Create and edit training sessions
	manage	Manage member skills and attendance
Breathing Apparatus	view	View BA equipment
	manage	Manage BA sets, cylinders and components
Hydrants	view	View hydrants
	manage	Create and edit hydrants
Hose Management	view	View hoses
	create	Create and manage hoses
	manage	Manage hose testing, repairs and assignments
Pre-Plans	create	Create and edit pre-plans
Availability	view	View member availability
	manage	Manage own and others’ availability
Duty Crews	view	View duty crews
	manage	Manage duty crew assignments
Water Points	view	View water points
	manage	Create and edit water points
Stock Management	manage	Create, restock and manage stock items
Equipment	manage	Create and manage equipment

Feature Permissions and Actions

Action items in StationOne are categorised by the area they relate to (vehicle, equipment, BA set, stock, etc.). A brigade user only sees action items for categories they have the relevant feature permission for:

Action category	Permission required
Vehicle	vehicles: view
Equipment	equipment: manage
BA Set	ba: view
Stock / PPE & Uniform	stock: manage
Pre-Plan	pre_plans: create
Building & Maintenance, IT, Other	No permission required

Feature Permissions and Notifications

Email notifications follow the same feature permission boundaries. A brigade user only receives notification digests for the features they can access:

Notification	Permission required
Overdue inspection schedules	Feature permission matching the inspectable type
Expiring inspection items	Same as above
Training notifications	Any training permission
Event notifications	Any events permission
Vehicle booking updates	Bookings or vehicles permission

See Manage Email Notifications for more on notification preferences.

---

Permission Matrix by Feature

In the tables below, ✅† indicates the action is available to brigade users who hold the appropriate feature permission. See the Feature Permissions section for the full list.

Members Management

Action	Brigade User	Brigade Admin	Group Admin+	Org Admin	Super Admin
View members in own brigade	✅	✅	✅	✅	✅
View members in hierarchy	❌	❌	✅	✅	✅
Create members	❌	✅	✅	✅	✅
Edit own profile	✅	✅	✅	✅	✅
Edit members in brigade	❌	✅	✅	✅	✅
Archive/delete members	❌	✅	✅	✅	✅
Grant platform access	❌	✅	✅	✅	✅
Assign appointments	❌	✅	✅	✅	✅
Create appointment types	❌	❌	❌	✅	✅

Vehicles

Action	Brigade User	Brigade Admin	Group Admin+	Org Admin	Super Admin
View vehicles in brigade	✅†	✅	✅	✅	✅
View vehicles in hierarchy	❌	❌	✅	✅	✅
Create vehicles	✅†	✅	✅	✅	✅
Edit vehicles	✅†	✅	✅	✅	✅
Delete vehicles	❌	❌	❌	✅	✅
Assign to different unit	❌	❌	❌	✅	✅

† Requires vehicles: view to view; vehicles: manage to create and edit.

Equipment

Action	Brigade User	Brigade Admin	Group Admin+	Org Admin	Super Admin
View equipment in brigade	✅	✅	✅	✅	✅
View equipment in hierarchy	❌	❌	✅	✅	✅
Create equipment	✅†	✅	✅	✅	✅
Edit equipment	✅†	✅	✅	✅	✅
Delete equipment	✅†	✅	✅	✅	✅

† Requires equipment: manage.

Inspections

Action	Brigade User	Brigade Admin	Group Admin+	Org Admin	Super Admin
View inspections in brigade	✅†	✅	✅	✅	✅
Create & conduct inspections	✅†	✅	✅	✅	✅
Delete inspections	❌	✅	✅	✅	✅
Approve/reject inspections	✅†	✅	✅	✅	✅

† View requires inspections: view; create requires inspections: create; approve requires inspections: approve.

Templates & Schedules

Action	Brigade User	Brigade Admin	Group Admin+	Org Admin	Super Admin
View templates	✅	✅	✅	✅	✅
Create/edit unit templates	✅†	❌	❌	✅	✅
Create/edit org templates	❌	❌	❌	✅	✅
Delete templates	❌	❌	❌	✅	✅
Create/edit schedules	❌	❌	❌	✅	✅

† Requires inspections: manage_templates.

Actions

Action	Brigade User	Brigade Admin	Group Admin+	Org Admin	Super Admin
View actions (feature-matched)	✅†	✅	✅	✅	✅
Resolve assigned actions	✅†	✅	✅	✅	✅
Create actions manually	❌	✅	✅	✅	✅
Close/reopen actions	❌	✅	✅	✅	✅
Delete actions	❌	✅	✅	✅	✅

† Brigade users see only actions in categories matching their feature permissions (e.g. a user with ba: view sees BA set actions, not vehicle actions).

Stock Management

Action	Brigade User	Brigade Admin	Group Admin+	Org Admin	Super Admin
View stock items	✅	✅	✅	✅	✅
Consume stock (record usage)	✅	✅	✅	✅	✅
Create stock items	✅†	✅	✅	✅	✅
Edit/restock stock items	✅†	✅	✅	✅	✅
Delete stock items	✅†	✅	✅	✅	✅

† Requires stock: manage.

Events

Action	Brigade User	Brigade Admin	Group Admin+	Org Admin	Super Admin
View events	✅†	✅	✅	✅	✅
Create/edit events	✅†	✅	✅	✅	✅
Manage attendance	✅†	✅	✅	✅	✅
Delete events	❌	✅	✅	✅	✅

† View requires events: view; create requires events: create; attendance requires events: manage_attendance.

Qualifications & Endorsements

Action	Brigade User	Brigade Admin	Group Admin+	Org Admin	Super Admin
View qualifications	✅	✅	✅	✅	✅
Award/remove qualifications	❌	✅	✅	✅	✅
View endorsements	✅	✅	✅	✅	✅
Award/remove endorsements	❌	✅	✅	✅	✅
Configure types	❌	❌	❌	✅	✅

---

Permission Decision Flow

When the system checks whether a user can perform an action:

1. Is user Super Admin?
   └─ Yes → Allow

2. Does user have required admin role (Brigade Admin or higher)?
   └─ Yes → Check scope (is resource in user's unit hierarchy?)
             └─ Yes → Allow
             └─ No  → Deny

3. Is user a Brigade User?
   └─ Does user have the required feature permission?
      (via direct grant OR active appointment)
      └─ No  → Deny
      └─ Yes → Is resource in user's brigade?
               └─ No  → Deny
               └─ Yes → Allow

---

Hierarchical Scope Examples

Brigade Admin Managing Their Brigade

User: Captain Smith, Brigade Admin at Tyabb Fire Brigade

Can access:

• All members, vehicles, equipment, and resources at Tyabb
• All inspections and actions for Tyabb resources
• All events at Tyabb

Cannot access:

• Resources from other brigades
• Organisation-wide settings or templates

Group Admin Managing Multiple Brigades

User: Captain Jones, Group Admin for District 8 Group

Can access:

• All brigades in District 8 Group (e.g., Tyabb, Somerville, Hastings)
• All members, vehicles, equipment, inspections, and actions across those brigades

Cannot access:

• Brigades in other groups
• Organisation-wide templates or settings

Brigade User with Feature Permissions

User: Alex, Brigade User at Tyabb — appointed as Stores Officer

Can access:

• Own profile
• All stock items at Tyabb (create, restock, manage — via stock: manage permission)
• Action items in the stock and PPE categories
• Notifications about stock-related items

Cannot access:

• Vehicles, equipment, inspections (unless separately granted)
• Resources from other brigades
• Admin features

---

Best Practices

Principle of Least Privilege

Assign the minimum access level needed for each member’s responsibilities.

• Operational members with no admin duties: Brigade User + appropriate feature permissions via appointment
• Brigade officers: Brigade Admin
• Group/district/region officers: corresponding admin role
• Organisation leadership: Organisation Admin
• Platform operators only: Super Admin

Use Appointments for Functional Roles

Rather than promoting a member to brigade admin to give them access to a specific area, create an appointment type with the relevant feature permissions. This:

• Keeps the role level appropriate
• Automatically revokes access when the appointment ends
• Creates a clear record of who held which position and when

See Appointments & Feature Permissions for full details.

Managing Transitions

When a member’s role or appointment changes:

1. End any appointments that no longer apply
2. Assign the new role or appointment
3. If promoting to an admin role, feature permissions are cleared automatically
4. Verify access is correct with the member

Auditing Access

Regularly review:

• Active appointments — are all still current?
• Direct feature permission grants — are these still needed, or should they be appointment-based?
• Admin role assignments — does each admin still need that level of access?

---

Common Scenarios

New Operational Member

Need: Member needs to conduct inspections and view brigade resources.

Solution: Role brigade_user + appointment with inspections: create and vehicles: view permissions.

Stores Officer

Need: Member takes on responsibility for managing stock and PPE.

Solution: Appointment with stock: manage permission. Member gains stock management access for the duration of the appointment without needing a full admin role.

Training Officer

Need: Member coordinates training sessions and tracks member attendance.

Solution: Appointment with training: create and training: manage permissions.

Promoted to Captain

Need: Existing brigade user promoted to captain.

Solution: Change role from brigade_user to brigade_admin. Any existing feature permissions are cleared automatically — they are no longer needed.

Member Transfers to Another Brigade

Need: Member moving from Tyabb to Somerville.

Solution: Update unit assignment. Role and qualifications transfer. End and reassign any active appointments in the new brigade.

---

Related Documentation

• Appointments & Feature Permissions
• Add Members
• Manage Email Notifications
• Getting Started