Feng Office Permissions
Roles, Groups, Modules, and Dimensions
The Feng Office Software permission system is a layered, role-based access control model designed to balance operational flexibility with data security.
Permissions are determined through a structured combination of:
- User roles
- System and module permissions
- Dimension-based data access
- Group assignments
Each layer contributes to the final access level of a user. This document explains how permissions are defined, combined, and enforced throughout the platform.
Quick Summary
The following table summarizes the permissions set for each user type.
| Quick description | |
|---|---|
| Super Administrator | Can do everything |
| Administrator | Can do everything, except managing other administrators and super administrators |
| Manager | Can do everything on Clients, Projects and Workspaces for which administrators granted Management permissions |
| Executive | Can work on everything, but cannot set permissions |
| Collaborator Customer | Is a Customer that can work on data but with restricted permissions, such as not creating or assigning tasks. Can link one object to another provided that they have edit permissions to that object |
| Internal Collaborator | Can work on data, but cannot create nor assign tasks. Can link one object to another provided that they have edit permissions to that object |
| External Collaborator | Can work on data, but cannot create nor assign tasks. Can link one object to another provided that they have edit permissions to that object |
| Guest Customer | Has limited access to view his/her own data. Cannot upload data. Only comments |
| Guest | Has limited access to view his/her own data. Cannot upload data. Can't comment |
1. Overview
This document explains how permissions work in Feng Office Software, including:
- Roles (user types)
- Role default permissions
- User permissions
- Groups
- System and module permissions
- Dimension permissions
- Default permissions for new dimension members
- How permissions are calculated
2. Permission Layers
Permissions are determined by several layers working together.
| Permission Layer | Purpose | Applies To |
|---|---|---|
| Role | Defines the maximum permissions that users of a role may receive. | Users |
| Role Default Permissions | Defines the default permissions assigned to newly created users of that role. | New users |
| User Permissions | Additional permissions assigned directly to a specific user. | Individual users |
| Groups | Assign permissions and dimension access to multiple users simultaneously. | Group members |
| Module Permissions | Determines which modules are available to the user. | Users |
| Dimension Permissions | Determines which Projects, Clients, Organizations and other dimension members the user may access. | Dim members access |
| Default Dimension Member Permissions | Automatically grants access to newly created dimension members. | New Projects, Clients, Organizations, etc. |
| Object Permissions (without classification) | CRUD permissions for objects that are not classified into dimensions. | Full Access users |
3. Key Concepts
3.1 Role
A Role defines the maximum permissions a user may ever receive.
Roles act as the permission ceiling.
If a permission is disabled by the role, it cannot be granted later through users or groups.
3.2 Role Default Permissions
Each role has its own configurable default permissions.
These defaults are automatically assigned whenever a new user is created using that role.
Changing the role defaults only affects users created afterwards.
Existing users keep their own permissions.
Where to configure
Settings → Users, Groups And Permissions →Manage Roles → Select a Role →
From this screen, administrators can configure the default permissions that will be automatically loaded when creating new users with that Role.
| Action | Result |
|---|---|
| Create a new user | Receives the role's default permissions |
| Change Role Defaults | Affects future users only |
| Existing users | No changes |
| Change permission ceiling | Not possible |
Important: Role Default Permissions do not modify the maximum permissions allowed by a role. They only define the initial permissions assigned when new users are created.
3.3 Default Permission Loading for New Users
Where it is used
Settings → Users, Groups And Permissions →Manage Users → Add new user →
When a Role is selected while creating a new user, the system automatically loads the configured default permissions for that Role.
When creating a new user, Feng Office Software automatically loads a predefined set of permissions based on the selected Role.
These permissions act as the initial configuration for the new user, allowing administrators to quickly create users without manually configuring every permission.
The loaded permissions can be reviewed and modified before saving the user.
How it works
- The administrator selects a Role when creating a new user.
- Feng Office Software automatically loads the default permissions configured for that Role.
- The administrator may adjust any enabled permission before saving the user.
- Once the user is created, their permissions become independent from the Role defaults.
Important Notes
- Default permissions are only applied when a new user is created.
- Changing a Role's default permissions does not modify existing users.
- Existing users keep their current permissions unless they are edited manually.
- Role default permissions do not change the maximum permissions allowed by a Role. The Role still defines the permission ceiling.
| Action | Result |
|---|---|
| Create a new user | Loads the default permissions configured for the selected Role. |
| Modify permissions before saving | Allowed. |
| Save the new user | The selected permissions become the user's own permissions. |
| Change the Role defaults later | Existing users are not affected. Only future users receive the updated defaults. |
Example
An administrator configures the Manager Role so that new users receive:
- Manage Tasks
- Manage Projects
- View Reports
When a new Manager user is created, these permissions are automatically preselected.
The administrator may still enable or disable any permission allowed by the Role before saving the user.
Changing the default configuration later will only affect Managers created afterwards.
3.4 Permission States (Enabled, Disabled and Active)
Each permission can be in one of the following states:
| State | Meaning | Can the permission be granted? |
|---|---|---|
| Enabled | The selected Role allows this permission to be granted. It is available for administrators to enable for the user or through a Group. | ✅ Yes |
| Disabled | The selected Role does not allow this permission. It cannot be granted to the user under any circumstance. | ❌ No |
| Active | The permission is currently granted to the user. | Already granted |
Important: A permission must first be Enabled by the user's Role before it can become Active. If a permission is Disabled by the Role, neither User Permissions nor Groups can grant it.
Example
Suppose the Manager Role allows the Manage Projects permission.
| Role allows the permission | Permission enabled for the user | User has the permission? |
|---|---|---|
| ❌ No | ✅ Yes | ❌ No |
| ✅ Yes | ❌ No | ❌ No |
| ✅ Yes | ✅ Yes | ✅ Yes |
In other words:
- The Role determines what can be granted.
- The permission assignment determines what is actually granted.
4. Permission Calculation
Permissions come from multiple sources.
Role
↓
Role Default Permissions
↓
User Permissions
↓
Groups
↓
Effective Permissions
4.1 System Permissions (OR Logic)
System and module permissions use OR logic.
A permission is granted if any source grants it.
Possible sources include:
- Role Default Permissions
- User Permissions
- Groups
| Role Default | User | Group | Final Result |
|---|---|---|---|
| ❌ | ❌ | ❌ | Not Granted |
| ✅ | ❌ | ❌ | Granted |
| ❌ | ✅ | ❌ | Granted |
| ❌ | ❌ | ✅ | Granted |
| ✅ | ✅ | ✅ | Granted |
4.2 Dimension Permissions (AND Logic)
Business objects are classified into dimensions such as:
- Projects
- Clients
- Organizations
- Workspaces
- Sites
- Services
To access an object, the user must have access to every dimension member assigned to that object.
Project ✓ Client ✓ Organization ✗ Result: Object cannot be accessed.
| Project | Client | Organization | Can Access Object? |
|---|---|---|---|
| ✅ | ✅ | ✅ | ✅ Yes |
| ✅ | ❌ | ✅ | ❌ No |
| ❌ | ✅ | ✅ | ❌ No |
| ❌ | ❌ | ❌ | ❌ No |
4.3 Dimensions That Should Not Restrict Access
Sometimes a dimension exists for classification purposes only.
If administrators do not want a particular dimension to restrict visibility, users (or groups) should be granted access to all members of that dimension.
This prevents that dimension from limiting access while still allowing objects to be properly classified.
5. Roles
Roles define the structural limits of each user type.
Role Families
| Role Family | Typical Roles | Default Dimension Access | Object Permissions Without Classification |
|---|---|---|---|
| Guest | Guest, Guest Customer, Non-Executive Director | None | No |
| Collaborator | Internal Collaborator, External Collaborator, Collaborator Customer | None | No |
| Full Access | Executive, Manager, Administrator, Super Administrator | All dimension members | Yes |
6. Groups
Groups simplify permission management by assigning permissions to multiple users at once.
Groups may contain:
- System permissions
- Module permissions
- Dimension permissions
- Multiple users
A user may belong to multiple groups. The effective permissions are the union of all permissions granted by those groups, provided the role allows them.
Where to manage Groups
Settings → Users, Groups And Permissions →Manage Groups
Groups can be created, edited and assigned to users from this section.
How Groups Work with Roles
| Role | Group | Result |
|---|---|---|
| Permission enabled | Group grants permission | Permission granted |
| Permission disabled | Group grants permission | Permission NOT granted |
Roles always define the permission ceiling.
7. Default Permissions for New Dimension Members
Administrators can configure default access for newly created dimension members.
These defaults are automatically applied whenever a new member is created.
Examples include:
- Projects
- Clients
- Organizations
- Services
- Sites
- Other dimension members
| When… | The System Automatically… |
|---|---|
| A new Project is created | Grants the configured default users and groups |
| A new Client is created | Grants the configured default users and groups |
| A new Organization is created | Grants the configured default users and groups |
| A new Service is created | Grants the configured default users and groups |
| A new Site is created | Grants the configured default users and groups |
Changing these defaults does not modify existing dimension members. Only future members receive the updated default access.
8. Effective Permissions
A user's effective permissions are the combination of several configuration sources.
| Source | Purpose |
|---|---|
| Role | Defines the maximum allowed permissions |
| Role Default Permissions | Initial permissions for new users |
| User Permissions | Additional individual permissions |
| Groups | Shared permissions assigned to multiple users |
| Dimension Permissions | Controls object visibility |
| Default Dimension Member Permissions | Automatic access for newly created dimension members |
9. Troubleshooting Access Issues
When a user cannot access an object, verify the following in order:
| Step | Verify |
|---|---|
| 1 | User Role |
| 2 | Role Default Permissions |
| 3 | User Permissions |
| 4 | Groups |
| 5 | Dimension Permissions |
| 6 | Object Classification |
Remember that object visibility depends on the combination of all applicable permission layers.
10. Best Practices
- Use Roles to define responsibility levels.
- Use Groups whenever multiple users require similar permissions.
- Avoid assigning permissions individually unless necessary.
- Configure Role Default Permissions to simplify user creation.
- Configure Default Dimension Member Permissions to reduce repetitive administration.
- Review dimension access whenever users report missing objects.
- Tip: Before assigning permissions individually, verify whether the required access can be achieved by configuring Role Default Permissions or Groups instead. This significantly reduces long-term administration effort.
11. Summary
| Concept | Rule |
|---|---|
| Role | Defines the permission ceiling |
| Role Default Permissions | Initial permissions for newly created users |
| User Permissions | Individual user-specific permissions |
| Groups | Shared permissions assigned to multiple users |
| System Permissions | OR logic |
| Module Permissions | OR logic |
| Dimension Permissions | AND logic |
| Default Dimension Member Permissions | Applied automatically to newly created dimension members |
In summary:
- Roles define the maximum permissions users may receive.
- Role Default Permissions define the initial permissions assigned to newly created users.
- Groups simplify permission management for teams.
- System and Module Permissions use OR logic.
- Dimension Permissions use AND logic.
- Default Dimension Member Permissions automatically grant access when new Projects, Clients, Organizations and other dimension members are created.