User Roles and Permissions
Organization Admin · Event Coordinator · Treasurer · Board Member · Document Manager · Family Lead · Family Worker · Guest Worker
StandShare uses a role-based access control (RBAC) system. Each user is assigned one or more roles, and each role grants a specific set of granular permissions. This page is a reference — for a conceptual explanation of how the system works, see Understanding Roles and Permissions.
User types
StandShare has three structural user types. These are not roles — they determine the scope of access before any role is considered.
| User Type | Description | How access is granted |
|---|---|---|
| Platform Admin | StandShare staff who manage the platform itself | Hold the Admin role, which passes all permission checks |
| Org Member | Anyone belonging to an organization (coordinators, families, etc.) | Assigned one or more roles through the Admin > Users interface |
| Guest Worker | Non-members who participate in events | Assigned the Guest Worker role |
Built-in roles
StandShare ships with 14 built-in roles across three groups. Admin and Venue Admin are system roles and cannot be edited or deleted. All other built-in roles can be modified to fit your organization's needs.
NPO organization roles
| Role | System Role | Description | Key Permissions |
|---|---|---|---|
| Admin | Yes | Full system access — bypasses all permission checks. Cannot be modified or deleted. | All permissions (wildcard *) |
| Organization Admin | No | Full tenant-scoped access to all org features. | All NPO permissions across every category |
| Event Coordinator | No | Manages events and worker assignments through full settlement. | Create/edit events, assign/remove workers, enter commissions, record attendance, settle events (not reversal), manage venues and groups, manage partnerships |
| Treasurer | No | Manages financial records and approvals. | View all family accounts and transactions, manually adjust transactions, approve/deny/process scholarship requests, view fund balances and transactions, view/create ledger entries, view billing |
| Board Member | No | Read-only oversight of all financial and event activity. | View all family accounts and transactions, view events and event reports, view fund balances and transactions, view document compliance, view ledger, view billing |
| Document Manager | No | Manages contracts and compliance documentation. | Upload documents for any family, view all documents, manage document templates, distribute for signature, view compliance reports |
| Family Lead | No | Primary family account holder. | View and edit own family account, view own transactions, submit own scholarship requests, upload and view own documents |
| Family Worker | No | Works events with minimal access. | View events only |
| Guest Worker | No | Guest with limited portal access. | View own assigned events, view own assignment details and earnings, view library content, view member directory, submit feedback |
Venue roles
| Role | System Role | Description | Key Permissions |
|---|---|---|---|
| Venue Admin | Yes | Full venue portal management. Cannot be edited or deleted. | View/manage venue profile, view/manage venue users, view/manage venue billing |
| Venue Coordinator | No | Day-to-day venue operations; no billing or user management. | View venue profile, view venues, manage venues, view venue users |
| Gate Attendant | No | Scanner-only access for check-in. | View venue profile, view venues |
Operator roles
| Role | System Role | Description | Key Permissions |
|---|---|---|---|
| Operator Admin | No | Full operator access — venue portal, operations, event reporting, groups, and API keys. | Manage venue profile, manage venue users/billing, view operations dashboard and system health, export metrics, view event reports, manage groups, manage API tokens |
| Operator Coordinator | No | Read-only operator access. | View venue profile, view venue users/billing, view operations dashboard, view event reports, view groups |
Permission categories
Permissions are organized into the following categories:
| Category | Code Prefix | What it covers |
|---|---|---|
| Family Account Management | family_account.* | Viewing and editing family accounts, transactions, and exports |
| Event Management | event_management.* | Creating, editing, and settling events; assigning workers; managing rosters |
| Scholarship Requests | scholarship_requests.* | Submitting, viewing, approving, denying, and processing scholarship payments |
| Fund Management | fund_management.* | Viewing fund balances, configuring rates, toggling deductions, exporting reports |
| Document Management | document_management.* | Uploading, viewing, and managing documents and templates; distributing for signature |
| Communication | communication.* | Sending messages, managing notification templates, viewing communication history |
| System Administration | system_admin.* | Creating and editing roles, assigning roles, configuring security, managing settings, viewing audit logs |
| Admin Panel | admin_panel.* | Viewing user directory, managing users, sending invitations, revoking sessions |
| Library | library.* | Viewing and managing published content, viewing analytics, managing content categories |
| Announcements | announcements.* | Creating, editing, pinning, and deleting announcements |
| Directory | directory.* | Viewing the member directory |
| Ledger | ledger.* | Viewing and creating ledger entries and fund transfers; voiding entries |
| Billing | billing:* | Viewing and managing billing and subscription information |
| Operations | operations.* | Viewing the operational dashboard, system health indicators, and exporting metrics |
| Collaboration | collaboration.* | Managing partnerships, inviting partners, managing cross-org worker assignments, settling payouts |
| Guest | guest.* | Viewing own events and own assignment details (Guest Worker portal access) |
| Venue Profile | venue_profile.* | Viewing and managing venue profile and settings |
| Venue Users | venue_users.* | Viewing and managing venue staff |
| Venue Billing | venue_billing.* | Viewing and managing venue subscription |
| API Tokens | api_tokens.* | Creating, viewing, and revoking API keys |
| Feedback | feedback.* | Submitting and managing feedback |
| FAQ | faq.* | Creating and editing FAQ entries |
| Groups | groups.* | Viewing and managing operator groups |
Permission inheritance rule
Within a category, holding a view_all permission automatically satisfies a view_own check. For example, a user with family_account.view_all does not also need family_account.view_own — the broader permission covers the narrower one.
This applies only to view permissions. Edit permissions (edit_all and edit_own) do not chain in this way.
Assigning roles to users
- Navigate to Admin > Users.
- Click on the user you want to modify.
- Click Manage Roles (step-up authentication required).
- Select or deselect roles as needed.
- Click Save.
A single user can hold multiple roles simultaneously. Their effective permissions are the union of all roles they hold.
For full instructions on inviting users, managing the user list, and creating custom roles, see Manage Users and Roles.
System role immutability
Only Admin and Venue Admin have system-role protection. Attempting to edit or delete them returns an error. All other built-in roles — including Organization Admin, Event Coordinator, and Treasurer — are editable and can be deleted if your organization does not need them.
Permission cache
Permissions are cached per user for 5 minutes. When an admin changes a user's roles:
- The individual user's permission cache is cleared immediately.
- When a role's permissions are edited, all user permission caches are cleared at once.
- Either way, the updated permissions take effect within the 5-minute window on the user's next request.
Next Steps
- Permission Matrix — full table of every built-in role and its specific capabilities
- Understanding Roles and Permissions — conceptual explanation of how RBAC works in StandShare
- Manage Users and Roles — step-by-step guide to inviting users, assigning roles, and managing the admin users page