What RBAC is
RBAC (role-based access control) is a fine-grained permission system that sits on top of entity-level permissions. Where entity permissions control whether a user can access Variations at all, RBAC controls exactly what they can do with them — create, edit, submit, approve, delete, export, and more.
RBAC is a feature that must be enabled for your company. If you do not see the RBAC option in your settings sidebar, contact Ensign Software to have it activated. This page is available to Admin and Super Admin users only.
How RBAC differs from entity permissions
| Entity permissions | RBAC | |
|---|---|---|
| Granularity | Per document type (e.g. all Variations) | Per action (e.g. approve a Variation) |
| Scope | Company-wide | Own records, assigned projects, or company-wide |
| Required | Always active | Feature-flagged — must be enabled |
| Managed by | Any Admin | Admin or Super Admin |
Actions and scopes
Each RBAC permission combines an action with a scope.
Actions
Actions are grouped by document type. Examples:
| Document | Example actions |
|---|---|
| Variations | View, Create, Edit, Delete, Submit, Approve, Revise, Void, Cancel, Add Items, Edit Item Details, Edit Item Pricing, Delete Items, Export, View Reports, Generate Reports |
| Dayworks | View, Create, Edit, Delete, Duplicate, Submit, Approve, Reject, Void, Cancel, Add Items, Edit Item Details, Edit Item Pricing, Delete Items, Export, View Reports, Generate Reports |
| Purchase Orders | View, Create, Edit, Delete, Cancel, Export |
| Invoices | View, Create, Edit, Delete, Cancel, Export |
| Timesheets | View, Create, Edit, Delete, Cancel, Export |
| Issues | View, Create, Edit, Delete, Export |
Most document types share a common set of actions (View, Create, Edit, Delete, Cancel, Export). Variations and Dayworks have additional workflow actions (Submit, Approve, Revise, Reject) and item-level controls.
Scopes
Each permission can be limited to one of three scopes:
| Scope | What the user can access |
|---|---|
| Own | Only records they created |
| Assigned Projects | Records on projects they are assigned to as project manager or site manager |
| Company Wide | All records across the company |
Access levels
For each action + scope combination, the permission is either:
- Allow — the user can perform the action within the scope
- Deny — the user is explicitly blocked from the action
Configuring RBAC
Navigate to Settings > System > RBAC. The RBAC controller displays all available actions grouped by document type, with controls to set the scope and access level for each.
Start broad and tighten as needed. Grant company-wide access for common actions like View and Export, then restrict sensitive actions like Approve and Delete to narrower scopes.
Next steps
- Managing Permissions — configure the simpler entity-level permissions.
- Managing Users — view and manage user accounts and roles.