Skip to main content

Permissions Management

Required Permissions: Admin or SuperUser role
Security Level: High
Estimated Time: 10 minutes

The Permissions page lets you fine-tune what each role — and, when necessary, each individual user — is allowed to do inside your tenant. You work with role-level permission sets and user-specific overrides, all from a single interface at Admin Portal → Permissions.

Prerequisites

  • Your account holds an Admin or SuperUser role.
  • You have a clear picture of which capabilities each team role needs.

Overview

Booga Enterprise uses a layered permission model:

  1. Tenant-type defaults — every tenant type (Developer, Corporate) ships with a built-in permission set per role (Viewer, User, Admin).
  2. Role overrides — you can replace the defaults for any role in your tenant. When a role override exists, every user with that role gets the overridden set instead of the defaults.
  3. User overrides — you can replace the entire permission set for a single user. A user override takes precedence over both the role override and the tenant-type defaults.

SuperUser accounts always receive all permissions and are not affected by overrides.

Role Permissions

Viewing role permissions

When you open the Permissions page, the Role Permissions table shows the three configurable roles — Viewer, User, and Admin — each with its current permission set displayed as chips.

  • If a role has been customized, an Overridden badge appears.
  • If you are an Admin (not a SuperUser), the Admin row is marked Protected — you can view it but not edit it.

Editing role permissions

  1. Click Edit on the role row you want to change.
  2. A checklist of all available permissions appears. Permissions currently granted are checked.
  3. Add or remove permissions as needed.
  4. Click Save to apply the override. The change affects every user who holds that role (and who does not have a personal override).

Important: A role override replaces the entire default set. The resulting permission set is exactly what you check — not the defaults plus your changes. Make sure the override includes everything the role needs.

Resetting a role to defaults

If a role has an override and you want to revert to the tenant-type defaults:

  1. Click Reset on the overridden role row.
  2. Confirm the reset in the dialog that appears.
  3. The override is deleted and users revert to the built-in defaults for your tenant type.

Admin role restrictions

  • Admins can edit the Viewer and User role overrides but cannot modify the Admin role. This prevents self-escalation.
  • SuperUsers can edit all three roles without restriction.
  • To change Admin-level permissions across tenants, a SuperUser can use Global Tenant Management.

User-Specific Permissions

Beyond role-level overrides, you can grant or remove specific permissions for an individual user.

Selecting a user

  1. Scroll to the User-Specific Permissions section below the role table.
  2. Use the Select User by Email autocomplete field to find the user. You cannot select your own account — you cannot modify your own permissions.
  3. After selection, the interface shows the user's current role, whether they have an override, and their effective permission set.

Editing a user's permissions

  1. Click Edit next to the user's permission list.
  2. A full permission checklist appears with the user's current grants checked.
  3. Add or remove permissions and click Save.
  4. The user override replaces the user's role-based permissions entirely. The label (from user override) appears on permissions that come from the personal override rather than the role.

Resetting to role defaults

If a user has a personal override and you want to revert them to whatever their role grants:

  1. Click Reset to Role Permissions.
  2. Confirm in the dialog.
  3. The user override is deleted and the user inherits permissions from their role (or role override, if one exists).

How Permissions Are Resolved

When the system checks whether a user has a given permission, it follows this order:

  1. SuperUser — always has every permission; no further check needed.
  2. User override — if one exists for this user and tenant, it is the definitive set.
  3. Role override — if one exists for this role and tenant, it is used.
  4. Tenant-type defaults — the built-in set for the user's role and tenant type.

Only one layer is active at a time — overrides replace, they do not add to the layer below.

Security Considerations

  • Least privilege: Grant only the permissions each role or user genuinely needs. Review permission sets periodically to prevent drift.
  • No self-edit: Admins and SuperUsers cannot modify their own permissions through this page, reducing the risk of accidental lockout.
  • Audit trail: All permission changes — role overrides created, updated, or deleted, and user overrides created, updated, or deleted — are recorded in the audit log.
  • Admin protection: The Admin role is protected from tenant-admin edits. Only a SuperUser can change Admin-level permissions, preventing horizontal privilege escalation.

Best Practices

  • Start with the built-in tenant-type defaults. Only create role overrides when the defaults genuinely do not fit your organization.
  • Prefer role-level overrides over user-level overrides. Per-user overrides are harder to audit and maintain as teams grow.
  • When you do use a user override, document the reason in your internal change log so future admins understand why it exists.
  • After making changes, verify the result by checking the user's effective permissions in the User-Specific Permissions section.

Troubleshooting

Cannot edit the Admin role You need a SuperUser account. Admin accounts can only modify the Viewer and User role permissions.

User still has old permissions after an override change Ask the user to sign out and sign back in. Some permission changes require a fresh session token.

Cannot find a user in the autocomplete The list excludes your own account. Verify the user belongs to your tenant and has an active account.

Accidentally removed a critical permission from a role Use Reset to restore the built-in defaults, or re-edit the role to add the missing permission back.

Next Steps

For an overview of user accounts and role assignments, see User Management. To review who changed permissions and when, see Audit & Compliance.

⏱️ Read time: 10 minutes | 📊 Difficulty: intermediate