Roles Concepts
Core concepts behind roles and permissions in Rahal
Roles Concepts
This section explains how roles and permissions work in Rahal.
Role Types
Rahal has two types of roles:
Predefined Roles
Built-in roles that come with every company:
| Role | Created | Editable | Deletable |
|---|---|---|---|
| Member | Automatic | Name/description only | No |
| Manager | Automatic | Name/description only | No |
| Admin | Automatic | Name/description only | No |
Predefined roles:
- Are created automatically when a company is set up
- Have fixed permission sets that cannot be modified
- Can have their display name and description customized
- Cannot be deleted
Custom Roles
Roles created by company administrators:
| Aspect | Custom Roles |
|---|---|
| Creation | Manual by admin |
| Permissions | Fully customizable |
| Editing | Full modification |
| Deletion | Yes (if no users assigned) |
Custom roles:
- Can have any combination of permissions
- Can be modified at any time
- Can be deleted if no users are assigned
- Must have a unique code within the company
Permission System
Permission Structure
Permissions grant access to specific actions. Each permission follows a naming pattern:
| Pattern | Action | Examples |
|---|---|---|
| Read | View data | Read Users, Read Policies, Read Budgets |
| Write | Create/edit data | Write Users, Write Policies, Write Budgets |
| Delete | Remove data | Delete Users, Delete Policies, Delete Budgets |
| Process | Workflow actions | Process Booking Requests |
| Access | Feature access | Access Company Dashboard |
Permission Merging
Every company user has permissions from two sources:
Base Permissions (always included):
- Booking flights and hotels
- Viewing own travelers
- Submitting booking requests
- Managing own passports
Role Permissions (from assigned role):
- Additional capabilities based on role
- Can include dashboard access
- May include management permissions
Permission Check Flow
Role Hierarchy
While permissions are flat (not hierarchical), the predefined roles are designed with a logical progression:
This hierarchy is by design, not enforcement. Custom roles can have any combination of permissions regardless of hierarchy.
Company Isolation
Roles are scoped to companies:
- Each company has its own set of roles
- Predefined roles are created separately for each company
- Role codes must be unique within a company, not globally
- Each user belongs to one company with one assigned role
In this example, User 1 is an Admin in Company A but only a Member in Company B.