Permissions
Understanding the permission system and how permissions work
Permissions
Permissions are the building blocks of access control in Rahal. They define exactly what actions a user can perform within the platform.
What is a Permission?
A permission grants access to a specific action or resource. When a user attempts an action, the system checks whether they have the required permission.
Permission Naming Convention
Permissions follow a consistent naming pattern combining an action with a resource:
| Action | Meaning | Examples |
|---|---|---|
| Read | View data | Read Users, Read Policies |
| Write | Create/edit data | Write Users, Write Budgets |
| Delete | Remove data | Delete Users, Delete Policies |
| Process | Workflow actions | Process Booking Requests |
| Access | Feature access | Access Company Dashboard |
Examples
| Permission | What It Allows |
|---|---|
| Read Users | View user list and details |
| Write Users | Create and edit users |
| Delete Users | Remove users |
| Process Booking Requests | Approve or reject requests |
| Access Company Dashboard | Log into admin dashboard |
Permission Types
Read Permissions
Allow viewing data without modification:
| Permission | Description |
|---|---|
| Read Users | View user list and profiles |
| Read Travelers | View traveler information |
| Read Policies | View policy configurations |
| Read Budgets | View budget settings and consumption |
| Read Booking Requests | View all booking requests |
| Read Delegations | View delegation relationships |
| Read Company Roles | View role definitions |
| Read Companies | View company information |
Write Permissions
Allow creating and modifying data:
| Permission | Description |
|---|---|
| Write Users | Create and update user accounts |
| Write Travelers | Create and edit traveler profiles |
| Write Policies | Create and modify policies |
| Write Budgets | Create and configure budgets |
| Write Delegations | Create and modify delegations |
| Write Company Roles | Create and edit roles |
| Write Companies | Modify company settings |
| Write User Passports | Upload and edit passport documents |
Delete Permissions
Allow removing data:
| Permission | Description |
|---|---|
| Delete Users | Remove user accounts |
| Delete Policies | Remove policies |
| Delete Budgets | Remove budgets |
| Delete Delegations | Remove delegations |
| Delete Company Roles | Remove custom roles |
| Delete Companies | Remove companies |
Process Permissions
Allow workflow-related actions:
| Permission | Description |
|---|---|
| Process Booking Requests | Approve or reject booking requests |
| Update Booking Requests | Modify booking request details |
Access Permissions
Control feature access:
| Permission | Description |
|---|---|
| Access Company Dashboard | Access the admin dashboard |
Permission Scoping
User-Specific vs All-Access
Some permissions come in two variants:
| All-Access | User-Specific | Difference |
|---|---|---|
| Read Booking Requests | Read User Booking Requests | View all vs own only |
| — | Write User Booking Requests | Submit own booking requests |
| — | Read User Passports | View own passport documents |
| — | Write User Passports | Manage own passports |
User-specific permissions grant access only to the user's own data, while all-access permissions grant access to all users' data.
Base User Permissions
Every company user automatically has these base permissions regardless of their assigned role:
| Permission | What It Allows |
|---|---|
| Read Hotel Offers | Search hotels |
| Book Hotel Offers | Book hotels |
| Read Flight Offers | Search flights |
| Book Flight Offers | Book flights |
| Read Travelers | View own travelers |
| Write Travelers | Create travelers |
| Read User Passports | View own passports |
| Write User Passports | Manage own passports |
| Read User Booking Requests | View own requests |
| Write User Booking Requests | Submit requests |
| Read User Policies | View assigned policies |
These base permissions enable every user to:
- Search and book travel (subject to policies)
- Manage their travelers and passports
- Submit and track booking requests
- View their policy constraints
Permission Inheritance
When a user attempts an action:
- System retrieves base permissions
- System retrieves permissions from assigned company role
- Permissions are merged (union of both sets)
- System checks if required permission exists in merged set
- Action is allowed or denied
Permission Groups
Permissions are organized into logical groups for easier management:
| Group | Permissions |
|---|---|
| Dashboard Access | Access Company Dashboard |
| Company Management | Read, Write, Delete Companies |
| Users Management | Read, Write, Delete Users |
| Roles Management | Read, Write, Delete Company Roles |
| Travelers | Read, Write Travelers |
| Passports | Read, Write User Passports |
| Policies | Read, Write, Delete Policies |
| Budgets | Read, Write, Delete Budgets |
| Booking Requests | Read, Process, Update Booking Requests + User variants |
| Delegations | Read, Write, Delete Delegations |
Permission Check Examples
Viewing the Roles Page
Required permission: Read Company Roles
If the user has the permission, they see the roles list. Otherwise, they receive a 403 Forbidden error.
Creating a New Role
Required permissions: Read Company Roles + Write Company Roles
Both permissions are checked:
- Read Company Roles — To view the roles page
- Write Company Roles — To create a new role
Deleting a Role
Required permissions: Read Company Roles + Delete Company Roles
Delete permissions are sensitive. Assign them carefully to prevent accidental data loss.
Best Practices
Least Privilege Principle
Grant only the permissions necessary for the user's job function:
| ❌ Avoid | ✅ Better |
|---|---|
| Give everyone all permissions "just in case" | Start minimal and add permissions as needed |
Read Before Write
If a user needs to write, they typically also need to read:
| Combination | Result |
|---|---|
| Read Users + Write Users | Can view and edit users ✅ |
| Write Users only | Can edit but can't see the user list ❌ |
Audit Permission Assignments
Regularly review:
- Which roles have which permissions
- Who is assigned to each role
- Whether permissions still match job requirements