This document describes what site admins can and cannot do within the admin interface.
Site admins have limited administrative privileges compared to super admins. They can only manage resources and users for sites where they have admin access.
- ✅ Can access: Admin dashboard
- ✅ Can view: Sites list (filtered to only sites they admin)
- ✅ Can view: Users list (filtered to users with access to their sites)
- ❌ Cannot view: Organizations list (hidden for site admins)
- ✅ Can access: Users list page
- ✅ Can view: Users who have access to sites they administer
- ✅ Can export: CSV of filtered user list
- ✅ Can create: New users (via "create" button)
- ✅ Can edit: User profiles (limited permissions)
- ✅ Can edit: User's first name and last name
- ✅ Can view: User's email and creation date (read-only)
- ❌ Cannot edit: User active/inactive status (super admin only)
- ✅ Can view: Sites accessible to user (filtered to sites they admin)
- ✅ Can manage: User access to sites they administer
- ✅ Can manage: User modules for sites they administer
- ✅ Can add: New site access for users (for their sites)
- ✅ Can remove: Site access from users (for their sites)
- ✅ Can access: Add new user functionality
- ✅ Can create: New user accounts
- ⚠️ Limited scope: Can only grant access to sites they administer
- ✅ Can access: Add access functionality
- ✅ Can grant: Site access to users
- ⚠️ Limited scope: Can only grant access to sites they administer
- ✅ Can access: Sites list page
- ✅ Can view: Only sites where they have admin privileges
- ✅ Can edit: Sites they administer (via edit button)
- ✅ Can create: New sites (via "create" button)
- ✅ Can access: Site creation/editing
- ✅ Can edit: Site details and settings
- ✅ Can manage: Site configuration
- ⚠️ Limited scope: Can only edit sites they administer
- ✅ Can access: User access management for their sites
- ✅ Can view: Users with access to sites they administer
- ✅ Can remove: User access from their sites
- ❌ Cannot access: User access management for sites they don't administer
- ⚠️ Permission check: Access denied message shown for unauthorized sites
- ✅ Can access: Gas settings for sites they administer
- ✅ Can configure: Gas monitoring settings
- ⚠️ Limited scope: Only for sites they administer
- ✅ Can access: Materials management
- ✅ Can view: Materials list
- ✅ Can create: New materials
- ✅ Can edit: Existing materials
- ⚠️ Scope unclear: May be limited to site-specific materials
- ✅ Can access: Substances management
- ✅ Can view: Substances list
- ✅ Can create: New substances
- ✅ Can edit: Existing substances
- ⚠️ Scope unclear: May be limited to site-specific substances
- ✅ Can access: Asset types management
- ✅ Can view: Asset types list
- ✅ Can create: New asset types
- ✅ Can edit: Existing asset types
- ⚠️ Scope unclear: May be limited to site-specific asset types
- ❌ Cannot access: Organization management (super admin only)
- ❌ Cannot view: Organization lists
- ❌ Cannot create: New organizations
- ❌ Cannot edit: Organization details
- ❌ Cannot manage: Organization users or sites
- ❌ Cannot access: Global permissions management (super admin only)
- ❌ Cannot view: Role permissions
- ❌ Cannot modify: System-wide permissions
- ❌ Cannot create: New roles or modify existing roles
- Sites: Can only see and manage sites where they have admin access (role_id >= 2)
- Users: Can only see users who have access to sites they administer
- Access Management: Can only grant/revoke access to/from their administered sites
- Organizations section: Hidden from dashboard
- User activation: Cannot activate/deactivate users
- Permission management: No access to global permission settings
- Super admin features: Cannot access system-wide administrative functions
- Filtered queries: All data queries are filtered by
permissionsStore.userAccesses
- Site-specific operations: Operations limited to sites in their access scope
- Role hierarchy: Site admins (role_id 2) have lower privileges than super admins (role_id 5)
The system uses several mechanisms to enforce these restrictions:
- Frontend filtering:
permissionsStore.isSuperAdmin checks
- Data filtering:
filterUserAccessibleSites() and similar functions
- UI disabling: Disabled buttons and hidden sections
- Backend validation: Database queries filtered by user access scope
- All permissions are enforced both at the UI level and data level
- Site admins cannot escalate their privileges
- Access is strictly limited to their designated sites
- Super admin functions remain protected and inaccessible