Skip to content

RBAC & Roles

Mitch‑Risk uses permission-based access control, not "is authenticated" gating. Three system roles are built in, and admins can create custom roles with any combination of the 23 fine-grained permissions.

Permission Catalog (23 Permissions)

Vendors (4)

Permission KeyDescription
vendors:viewView vendor list and vendor detail pages
vendors:createCreate new vendors (including CSV import)
vendors:editEdit vendor profiles, certifications, and attachments
vendors:deleteDelete vendors (cascades to assessments and files)

Assessments (5)

Permission KeyDescription
assessments:viewView assessment list and assessment detail
assessments:createCreate and send assessments to vendors
assessments:editEdit assessment settings, manage tokens and links
assessments:reviewReview responses, approve/clarify, finalize assessments
assessments:deleteDelete assessments (cascades to files)

Templates (4)

Permission KeyDescription
templates:viewView template list and template detail
templates:createCreate new templates
templates:editEdit templates, publish/unpublish, version
templates:deleteDelete templates

Frameworks (3)

Permission KeyDescription
frameworks:viewView framework list and framework detail with controls
frameworks:editImport and edit frameworks
frameworks:deleteDelete frameworks and all associated controls

Profile (1)

Permission KeyDescription
profile:viewView and edit own profile, password, and preferences

Administration (6)

Permission KeyDescription
audit:viewView audit log and email notification log
users:manageCreate, disable, enable, delete users; change roles
roles:manageCreate, edit, delete, duplicate roles
settings:manageManage all in-app settings (email, scoring, branding, storage, etc.)
api:manageCreate, revoke, enable, delete API keys
webhooks:manageCreate, edit, enable, delete webhook endpoints

Default System Roles

RolePermissionsWho It's For
Admin23 (all)Full platform control. Locked — cannot be deleted or edited.
Reviewer17Staff who manage vendors and assessments. Cannot manage users, roles, settings, API, or view audit.
Viewer5Read-only: vendors:view, assessments:view, templates:view, frameworks:view, profile:view

System roles are seeded on first run and cannot be deleted. The Admin role cannot be modified.

Custom Roles

Admins can create custom roles in Settings → Roles:

  1. Click Create Role.
  2. Name the role and write a description.
  3. Select the permissions to grant.
  4. Assign the role to any user.

Custom roles can have any subset of the 23 permissions. Use them to create role profiles like "Auditor" (audit + view only), "Vendor Manager" (vendors + assessments + templates), or "API-only" (just the relevant API permission set).

Enforcement

Access control is enforced at every layer:

LayerMechanismBehavior
Page accessrequirePermission(key)Redirects to dashboard if denied
Server actionsrequirePermission(key) at start of every actionReturns 403 if denied
API routesauthenticateRequest() + permission checkReturns 403 JSON envelope if denied
UI controlshasPermission(user.permissions, key) in JSXControls are hidden, not greyed out
Sidebar navPermission-filtered navigation itemsUser only sees sections they can access
Settings tabsTab params sanitized against permissionsHidden tabs cannot be forced via URL

Hide, don't disable. A role without a permission simply does not see the control. A Viewer gets a clean read-only screen — no write buttons, no redirect-on-click traps.

Practical Examples

ActionAdminReviewerViewer
View vendor listYesYesYes
Create/import vendorsYesYesNo
Edit vendor profilesYesYesNo
Delete vendorsYesYesNo
View assessmentsYesYesYes
Send assessmentsYesYesNo
Review & finalizeYesYesNo
Delete assessmentsYesYesNo
Create templatesYesYesNo
Edit/publish templatesYesYesNo
View frameworksYesYesYes
Edit/import frameworksYesYesNo
Delete frameworksYesYesNo
View audit logYesNoNo
Manage usersYesNoNo
Manage rolesYesNoNo
Manage settingsYesNoNo
Manage API keysYesNoNo
Manage webhooksYesNoNo
View/edit own profileYesYesYes

Open-source, self-hosted third party vendor risk management.