Skip to main content
The c.technology platform implements a sophisticated role-based access control (RBAC) system that provides granular control over what users can see and do within the platform. This permission system operates at multiple levels, from high-level feature access down to individual sensor data fields, ensuring appropriate data visibility while maintaining security and compliance requirements.

Permission system architecture

The permission system is built on three core concepts that work together to provide flexible and scalable access control:
  1. Permissions - Atomic capabilities that define specific actions or access rights (down to temporally restricted access to individual data fields)
  2. Roles - Collections of permissions that represent common job functions or access patterns
  3. Assignments - The binding of roles to users for specific contexts (vehicles, organizations)
Additionally, permissions are transitive through organizational hierarchies, meaning that users inherit permissions based on their organization memberships and the roles assigned to those organizations for specific vehicles. This architecture enables fine-grained control while remaining manageable for administrators and intuitive for end users.

Permission categories

The platform organizes permissions into distinct categories that makes permissions easy to understand and manage:

User permissions

General permissions that control a user’s access to platform-wide functionality: 
# Example user permissions
USER_PROFILE_VIEW          # Access to user profile data (read-only)
USER_PROFILE_EDIT          # Access to user profile data (can edit)
USER_ASSIGN_VEHICLE_TO_USER  # Allowed to assign vehicles to users
USER_NOTIFICATION_ALERT_VIEW  # Access to notification alerts (read-only)
USER_GEOFENCING_VIEW       # Access to user-defined geofencing (read-only)
USER_GEOFENCING_EDIT       # Access to user-defined geofencing (can edit)
These permissions control access to personal settings, notification management, geofencing configuration, and other user-centric features.

Vehicle permissions

Permissions that control access to specific vehicle data and functionality: 
# Example vehicle permissions  
VEHICLE_STATUS_VIEW        # Access to vehicle status (current data)
VEHICLE_LOGBOOK_VIEW       # Access to logbook
VEHICLE_LOGBOOK_DETAIL_VIEW  # Access to detailed logbook parameters
VEHICLE_LOGBOOK_DETAIL_EDIT  # Can edit trip name, comments, captain
VEHICLE_PROFILE_EDIT       # Can edit vehicle profile information
VEHICLE_OWNERS_EDIT        # Can modify vehicle ownership
Vehicle permissions provide the core access control for vehicle data, from basic status viewing to detailed operational control.

UI user permissions

Permissions that control which user interface elements are visible in web applications: 
# Example UI user permissions
UI_USER_NAVBAR_DASHBOARD   # Show dashboard in navigation
UI_USER_NAVBAR_VEHICLES    # Show vehicles section in navigation  
UI_USER_NAVBAR_PROFILE     # Show profile section in navigation
UI_USER_NAVBAR_BILLING     # Show billing section in navigation
These permissions enable customization of the user interface based on user roles and organizational needs.

UI vehicle permissions

Permissions that control vehicle-specific UI elements and data presentation: 
# Example UI vehicle permissions
UI_VEHICLE_STATUS_BATTERY  # Show battery information in vehicle status
UI_VEHICLE_STATUS_FUEL     # Show fuel information in vehicle status
UI_VEHICLE_LOGBOOK_MAP     # Show map view in logbook
UI_VEHICLE_MAINTENANCE_TAB # Show maintenance tab

App permissions

Permissions specific to mobile application functionality: 
# Example app permissions
UI_APP_VEHICLE_LOCK_UNLOCK # Show lock/unlock controls in mobile app
UI_APP_NOTIFICATIONS_PUSH  # Enable push notifications
UI_APP_OFFLINE_MODE        # Allow offline data access

Organization permissions

Permissions that control organizational management and administration: 
# Example organization permissions  
USER_ORG_GENERAL_ACCESS    # Basic organization access
USER_ORG_SETTINGS_EDIT     # Can edit organization settings
USER_ORG_MEMBER_ADD        # Can add new organization members
USER_ORG_MEMBER_REMOVE     # Can remove organization members

Sensor-Level Permissions

Beyond functional permissions, the platform implements granular sensor-level permissions that control access to individual data fields within vehicle status models. This capability is essential for data privacy compliance by restricting access to location or personal data, commercial data protection for proprietary sensor information, role-based data filtering where different users see different data sets, and regulatory compliance for industry-specific data access requirements.

Sensor Permission Structure

Sensor permissions are defined by specifying the exact model and field combination: 
# Example sensor permissions
{
  "key": "vehicle_lat",           # Field name in the model
  "model_name": "VehicleStatus",  # Model containing the field
  "description": "Vehicle GPS latitude coordinate"
}

# Additional examples
{
  "key": "engine_rpm", 
  "model_name": "VehicleStatusCAN",
  "description": "Engine RPM from CAN bus"
},
{
  "key": "fuel_level_pct",
  "model_name": "VehicleStatus", 
  "description": "Fuel level percentage"
}

Predefined Roles

The platform includes a comprehensive set of predefined roles that cover common use cases and organizational structures. For user roles, these include:
  • USER_STANDARD: Standard user role.
  • USER_READ_ONLY: Read-only user role.
  • USER_MAP_ONLY: User cannot do anything except for looking at the map. Useful for on-vehicle displays in shared vehicles.
For vehicle (access) roles, these include:
  • VEHICLE_OWNER: Owner of the vehicle.
  • VEHICLE_USER: User of the vehicle - the same as OWNER in terms of access, but without admin rights, such as to add or remove other users.
  • VEHICLE_MAINTAINER: Person responsible for the maintenance of the vehicle.
  • VEHICLE_MANUFACTURER: Person responsible for the manufacturing of the vehicle.
  • VEHICLE_MANUFACTURER_UPLOAD: Person responsible for the manufacturing of the vehicle (can upload data for this vehicle).
  • VEHICLE_READ_ONLY: Person can only observe the data of the vehicle, but cannot edit anything.
  • VEHICLE_NO_DETAIL_NO_EDIT: User can not see details of trips nor edit vehicle profile.
  • VEHICLE_ONLY_CURRENT: User can not see anything except the current position and data.
  • VEHICLE_UPLOAD_DATA: Vehicle can upload data. Used for API keys.
  • VEHICLE_OWNER_GROUP_FOLLOWER: Owner of a vehicle, but many functions are disabled to make it clear a vehicle is part of a group (and only the group leader can be used for common tasks, such as notes, documents, etc.).
For organization roles, these include:
  • USER_ORG_STANDARD: Standard user org access role
  • USER_ORG_ADMIN: Admin user org access role
  • USER_ORG_READ_ONLY: Read-only user org access role
  • USER_ORG_SERVICE: Service user org access role
  • USER_ORG_MARKETING: Marketing user org access role
  • USER_ORG_ENGINEER: Engineer user org access role

Permission Auditing and Compliance

The platform maintains comprehensive audit trails for all permission-related activities. Audit trail components include permission grants and revocations with timestamps and responsible parties, role assignments and modifications including custom role changes, access attempts and authorization decisions for compliance monitoring, and administrative actions affecting permissions and roles. Compliance features include data access logging for regulatory compliance (GDPR, CCPA, etc.), permission reports for organizational audits, access certification workflows for periodic reviews, and automated alerts for unusual permission patterns.
I