Timequip implements a hierarchical role-based access control system with three distinct account-level roles: Owner, Admin, and Member. Each role provides different levels of access and control over account management, billing, and user administration.
Role Hierarchy and Permissions
Owner (ROLE_OWNER)
The Owner role represents the highest level of access within an account. Each account has exactly one owner who holds ultimate authority over all account operations.
Key Permissions:
- Billing Management: Full control over subscription plans, payment methods, and billing settings
- Account Deletion: Authority to permanently delete the entire account and all associated data
- User Management: Invite new users, modify roles, and remove any account member including admins
- Project Management: Create, edit, and delete projects within the account
- Role Assignment: Grant or revoke admin and member roles for any user
- Ownership Transfer: Transfer ownership to another account member
Admin (ROLE_ADMIN)
Admins serve as trusted managers with extensive permissions but lack critical account-level controls reserved for owners.
Key Permissions:
- User Management: Invite new members and modify member roles
- Project Management: Create, edit, and delete projects
- Project Role Assignment: Assign users to projects with Leader, Editor, or Viewer roles
- Content Management: Full access to all project content and settings
Limitations:
- Cannot manage billing information or subscription settings
- Cannot delete the account
- Cannot modify or remove the account owner
- Cannot grant or revoke admin status to other users
Member (ROLE_MEMBER)
Members are standard users with basic access to projects they're assigned to, but no administrative privileges.
Key Permissions:
- Project Access: View and participate in projects they're specifically assigned to
- Content Collaboration: Edit content within projects where they have Editor or Leader roles
- Basic Account Features: Access to general account features and personal settings
Limitations:
- Cannot manage other users or roles
- Cannot create or delete projects
- Cannot access billing or account settings
- Limited to projects they're explicitly assigned to
Role Inheritance and Access Control
The role system follows a hierarchical inheritance model where higher-level roles automatically include permissions from lower levels:
- Owner: Inherits all Admin and Member permissions
- Admin: Inherits all Member permissions
- Member: Base level permissions only
This inheritance ensures that users with elevated roles can perform any action available to users with lower roles within their scope of authority.
User Management and Role Assignment
Inviting New Users
Only Owners and Admins can invite new users to an account. When inviting a user:
- New users automatically receive the Member role by default
- Only Owners can grant Admin status to new or existing users
- Existing users can be added directly without requiring email invitation
Role Modification
- Owners can modify any user's role except their own (ownership must be transferred first)
- Admins can only modify Member roles and cannot promote other users to Admin status
- Members cannot modify any roles
User Removal
- Owners can remove any user including Admins
- Admins can only remove Members, not other Admins or the Owner
- Users cannot remove themselves from an account
Security Considerations
Ownership Transfer
When transferring ownership:
- The current owner automatically becomes an Admin
- The new owner receives full Owner privileges
- This operation can only be performed by the current owner
- There must always be exactly one owner per account
Role-Based Access Validation
The system enforces strict access controls at both the API and application levels:
- All role changes are validated against business rules
- Critical operations require specific role verification
- Audit trails track role modifications for security compliance
Best Practices
Role Assignment Recommendations
- Owner: Assign to the primary account holder or business owner
- Admin: Grant to trusted managers who need user management capabilities
- Member: Use for regular team members who only need project access
Security Guidelines
- Limit the number of Admins to reduce security risks
- Regularly review user roles and remove unnecessary access
- Transfer ownership before removing an owner from the account
- Monitor role changes through activity logs
This role system provides a flexible yet secure framework for managing access to TimeQuip accounts while ensuring appropriate separation of duties and maintaining data security.