Role-Based Access Control¶
Campus WoL uses role-based access control (RBAC) to determine what each user can see and do. Every user is assigned one of three roles, and each role grants a specific set of permissions. This page documents the complete permissions matrix and explains how site scoping further restricts access.
The Three Roles¶
Viewer -- Read-only access. Viewers can see dashboards, device status, and Lab Status, but cannot perform any actions that change the system. This role is suitable for staff who need to check whether devices are online but do not need to wake or manage them.
Operator -- Operational access. Operators have all Viewer permissions plus the ability to wake devices, view wake failure details, and review network discovery results. This role is suitable for teachers, lab assistants, or helpdesk staff who need to power on devices.
Admin -- Full access. Admins can do everything Operators can, plus manage inventory, users, schedules, and system configuration. This role is for IT staff who administer the platform.
Permissions Matrix¶
The following table lists every action in the system and which roles can perform it:
| Action | Viewer | Operator | Admin |
|---|---|---|---|
| View dashboard | Yes | Yes | Yes |
| View Lab Status | Yes | Yes | Yes |
| View classroom devices (sidebar tree) | Yes | Yes | Yes |
| View own login history | No | No | Yes |
| Wake devices | No | Yes | Yes |
| View wake failures card | No | Yes | Yes |
| View discovery results | No | Yes | Yes |
| Dismiss discovered devices | No | Yes | Yes |
| Trigger discovery scans | No | No | Yes |
| Adopt discovered devices | No | No | Yes |
| View Network Monitor (raw scan data) | No | No | Yes |
| View schedules & execution history | No | No | Yes |
| Create/delete/toggle schedules | No | No | Yes |
| Add/delete/import/export devices | No | No | Yes |
| Manage sites & classrooms | No | No | Yes |
| Manage users | No | No | Yes |
| View full audit log | No | No | Yes |
| Access Security Center | No | No | Yes |
Important UI note: The Schedules, Audit Log, Inventory, Users, and Security Center pages are in the Administration sidebar section, which is hidden from non-admin users. Even though some backing API endpoints accept operator-level tokens, the UI navigation to those features is admin-only.
Known UI/API mismatches:
- Network Monitor sidebar entry is visible to all users, but the underlying API endpoint requires the Admin role. Non-admin users who navigate to this page see an error or empty state.
- Login history API accepts any authenticated user's token, but the Security Center navigation item (which contains the login history view) is only visible to admins.
- Schedules API endpoints accept Operator-level tokens, but the Schedules navigation item is in the Administration section and only visible to admins.
Site Scoping¶
In addition to role-based permissions, Campus WoL restricts users to specific sites. An administrator can assign one or more sites to each user account. Once site assignments are in place, the user can only see and interact with devices, classrooms, and data belonging to their assigned sites.
What is site scoping?
Site scoping is an additional layer of access control beyond roles. Even if you have the Operator role and can wake devices, you can only wake devices at the sites your administrator has assigned to you. This lets organizations give different teams access to different buildings without creating separate system deployments.
Fail-Closed Behavior¶
Site scoping follows a fail-closed design. If a non-admin user has no sites assigned, they see an empty interface -- no sites, no classrooms, no devices. The system does not default to showing everything when assignments are missing. An administrator must explicitly grant site access before a user can see any data.
Admin users are exempt from site scoping and can see all sites regardless of assignments.
How Roles and Sites Work Together¶
A user's effective permissions are the intersection of their role and their site assignments. For example:
- An Operator assigned to "Science Building" can wake devices in Science Building classrooms, but cannot see or interact with devices in other buildings
- A Viewer assigned to "Library" and "Arts Building" can view device status at those two sites, but cannot wake anything and cannot see other sites
- An Admin can see and manage everything regardless of site assignments
Next Steps¶
- Authentication -- How login and sessions work
- Audit Logging -- Every action is logged with the acting user and their role
- Secrets Management -- How credentials and keys are stored