Roles and Permissions
The platform has three authority levels that control access to modules, data visibility, and workflow actions.
Authority Roles
User (Bahri Employee)
Standard users are Bahri employees who participate in MOC and PCR workflows. Their access is scoped to the MOCs and PCRs they are directly involved in.
Permissions:
- Initiate new MOCs and PCRs
- View and edit MOCs/PCRs where they are assigned a role (originator, implementer, approver, verifier)
- Access the notification center
- Use per-MOC chat rooms
- View their personal MOC overview
Sidebar visibility: Control Panel, MOC, PCR sections.
Admin
Admin users have full visibility into all platform data and can manage user accounts.
Permissions:
- Everything a standard User can do
- View all MOCs and PCRs regardless of assignment
- Access the Admin Dashboard (User Management, Analytics)
- Create and manage user accounts
- Access Year End HSEQ Review module
- View all analytics and reports
Sidebar visibility: All sections including Admin Dashboard and Year End HSEQ Review.
HSEQ
HSEQ (Health, Safety, Environment, and Quality) users are responsible for auditing and reviewing MOCs at the HSEQ stage. They are identified by their department assignment rather than a separate role.
Permissions:
- Everything a standard User can do
- View all MOCs (same visibility as Admin for MOC data)
- Act on MOCs at the HSEQ review stage (Part C)
- Act as the Verifier for MOC close-out (Part F)
Identification: Users with department === "hseq" or specific HSEQ email addresses.
Workflow Roles
Within each MOC, users are assigned to specific workflow roles. These are per-MOC assignments, not system-wide roles:
| Workflow Role | MOC Stage | Responsibilities |
|---|---|---|
| Originator | Part A | Initiates the MOC, describes the change, selects the implementer |
| Implementer | Part B, E | Assesses the change, creates action plans, manages implementation |
| HSEQ Reviewer | Part C | Reviews and audits the MOC for safety and compliance |
| Approver | Part D | Final approval authority for the proposed change |
| Verifier | Part F | Verifies implementation completeness and closes the MOC |
Access Control in the Codebase
Route protection is handled in the middleware at src/middleware.ts:
// Admin routes require admin role
if (pathname.startsWith("/dashboard/admin")) {
if (role !== "admin") {
return NextResponse.redirect(new URL("/dashboard/notifications", req.url));
}
}
API-level access control is enforced per route. Most API endpoints read the JWT session cookie and check the user's role, department, or assignment against the requested resource.
The sidebar navigation filters menu items based on the user's role at src/components/app-sidebar.tsx:
const filteredNavMain = useMemo(() => {
if (!userData) return data.navMain;
if (userData.role === "admin") return data.navMain;
return data.navMain.filter(
(item) =>
item.title !== "Admin Dashboard" &&
item.title !== "Year End HSEQ Review"
);
}, [userData]);