Documentation Index
Fetch the complete documentation index at: https://grantmaster.dev/llms.txt
Use this file to discover all available pages before exploring further.
Role & Permission Matrix
This document defines the capabilities of eachSystemRole within the GrantMaster platform.
Source of truth:src/config/permissionMatrix.tsandsrc/shared/auth/contracts.ts(thePermissionenum andSystemRoleenum).
Role Hierarchy
AUDITOR is a cross-cutting role — it does not inherit from the hierarchy but has read-only access to audit logs, compliance, and org settings. Access is time-boxed via AuditorAccessGrant.
System Roles
| Role | Description |
|---|---|
SUPER_ADMIN | Platform-wide management. Full access including tenant provisioning and imuseration. |
ADMIN | Organization-wide management. Full control over their organization. |
MANAGER | Team and project management. Can create projects, approve journals/expenses. |
MEMBER | Standard user. Can view projects, log time, submit own expenses. |
AUDITOR | Read-only compliance and audit access with time-boxed sessions. |
USER | Base role (legacy). |
OBSERVER | Read-only observer (legacy). |
Permission Matrix (Summary)
| Permission Category | SUPER_ADMIN | ADMIN | MANAGER | MEMBER | AUDITOR |
|---|---|---|---|---|---|
| Platform Management | ✅ | ❌ | ❌ | ❌ | ❌ |
| Platform Billing | ✅ | ❌ | ❌ | ❌ | ❌ |
| Org Settings | ✅ | ✅ | ❌ | ❌ | 👁️ |
| Manage Billing | ✅ | ✅ | ❌ | ❌ | ❌ |
| Manage Team | ✅ | ✅ | ⚠️ | ❌ | 👁️ |
| Create Projects | ✅ | ✅ | ✅ | ❌ | ❌ |
| Journals / Journals | ✅ | ✅ | ✅ | ✅ | 👁️ |
| Expenses | ✅ | ✅ | ✅ | ⚠️ | 👁️ |
| Approve Expenses | ✅ | ✅ | ✅ | ❌ | ❌ |
| Budget Monitoring | ✅ | ✅ | ✅ | ❌ | 👁️ |
| Relations / Contacts | ✅ | ✅ | ✅ | 👁️ | 👁️ |
| Grantors / Compliance | ✅ | ✅ | 👁️ | ❌ | ❌ |
| Discovery & Pipeline | ✅ | ✅ | ❌ | ❌ | ❌ |
| Document Brain | ✅ | ✅ | ✅ | ⚠️ | 👁️ |
| Impact (M&E) | ✅ | ✅ | ✅ | 👁️ | 👁️ |
| Reports & Templates | ✅ | ✅ | ✅ | 👁️ | 👁️ |
| Policy Engine | ✅ | ✅ | ✅ | ❌ | 👁️ |
| HR / Staff Allocation | ✅ | ✅ | ✅ | ❌ | ❌ |
| Effort Certification | ✅ | ✅ | ✅ | ⚠️ | ❌ |
| Training | ✅ | ✅ | ✅ | 👁️ | ❌ |
| Org Chart | ✅ | ✅ | 👁️ | 👁️ | ❌ |
| Contractors | ✅ | ✅ | 👁️ | ❌ | ❌ |
| View Audit Logs | ✅ | ✅ | 👁️ | ❌ | ✅ |
| Audit Reports & Export | ✅ | ✅ | ❌ | ❌ | ✅ |
- ✅ Full Access
- 👁️ Read Only
- ⚠️ Restricted/Request only
- ❌ No Access
Key Security Flows
1. The SuperAdmin “God Mode”
SuperAdmins inherit almost all permissions but are uniquely allowed to perform Imuseration (Impersonation). This is strictly monitored and requires an activeImuserationSession documented in the global audit rail.
2. The Permission Guard
In React components, always use the<PermissionGuard> to wrap sensitive UI elements:
3. Dynamic Permission Resolution
Permissions are resolved inRoleContext.tsx (via useRoles()). While roles are the primary bucket, the context also checks for:
- Imuseration context: Swaps out the
organizationIdfor all service calls. - Auditor active window: Checks if the current time falls within the
AuditorAccessGrantwindow.
4. Permission Helper Functions
src/config/permissionMatrix.ts exports:
getPermissionsForRole(role)— get all permissions for a roleroleHasPermission(role, permission)— check single permissionroleHasAnyPermission(role, permissions)— check any of several permissionsroleHasAllPermissions(role, permissions)— check all of several permissionsgetPermissionDiff(fromRole, toRole)— compare permission sets between roles
5. Permission Categories
Permissions are grouped into logical categories (defined inPERMISSION_CATEGORIES):
Platform, Organization, Team, Projects, Journals, Expenses, Budget, Audit, Reports, Document Brain, Impact
Notable Permission Scopes Added
- Billing:
VIEW_BILLING,MANAGE_BILLING,VIEW_PLATFORM_BILLING,MANAGE_SUBSCRIPTION_TIERS,MANAGE_REFUNDS,VIEW_REVENUE_METRICS - Document Brain: Full lifecycle —
VIEW_DOCUMENT_LIBRARY,UPLOAD_DOCUMENTS,EDIT_DOCUMENT_METADATA,DELETE_DOCUMENTS,APPROVE_DOCUMENTS,MANAGE_DOCUMENT_FOLDERS, AI classification, templates, analytics, retention - Impact (M&E):
VIEW_ME,MANAGE_ME,MANAGE_ME_LIBRARY,APPROVE_ME_DATA,MANAGE_ME_DATA_SOURCES, grant linkage, portfolio impact, AI suggestions, workflows, anomalies - Policy Engine:
VIEW_POLICY_ENGINE,CREATE_COMPLIANCE_POLICY,DELETE_COMPLIANCE_POLICY,ACTIVATE_POLICY,MANAGE_POLICY_TEMPLATES,VIEW_POLICY_ANALYTICS,APPLY_POLICIES_TO_GRANTS - Extensions / Agents: Managed via
ExtensionContextmodule system; not yet represented as discrete permissions in the matrix
Maintenance
Update this document when:- Adding a new
Permissionstring tosrc/shared/auth/contracts.ts. - Modifying the
PERMISSION_MATRIXinsrc/config/permissionMatrix.ts. - Changing the inheritance logic for SuperAdmins.