Free Trial

A Complete RBAC System for Your Organization

Noova's Role & Permission Management is the access control backbone of the platform. Every module - from organization management and LMS to HR operations and AI - registers its permissions into a central registry. Administrators create custom roles, assign permissions from grouped module checklists, configure data access scoping, and build role hierarchies. Permissions respect feature flags: modules disabled for your organization have their permissions automatically hidden. Users can hold multiple roles simultaneously, and their effective permissions are the union of all assigned role permissions.

40+ Permission Module Groups

Permissions organized by module: Employees, Org Units, Positions, Courses, Quizzes, Surveys, Enrollments, Training Programs, Performance, Time Attendance, Recruitment, AI, Automation, and more.

Feature Flag Filtering

19+ feature flags control which permission modules are visible. Disabled modules (e.g., Recruitment, Time Attendance) have their permissions automatically hidden from the role editor.

Transitive Dependencies

Permission dependencies are resolved transitively - enabling ROLE_UPDATE auto-enables ROLE_ONE_VIEW which auto-enables ROLE_LIST_VIEW. The dependency confirmation modal shows what will be affected.

Multi-Role & Scope Model

Users can hold multiple roles. Data access is controlled per module per role using 5 scope types (OWN, TEAM, UNIT, ALL, CUSTOM) across 4 resource types (Employee, Org Unit, Position, Employee Group).

A Complete RBAC System for Your Organization

What Role & Permission Management Enables

Granular Access Control

Control exactly what each role can view, create, edit, and delete across every module. Permissions are toggled individually from grouped checklists in the role editor.

Org-Scoped Data Access

Restrict data visibility by org unit, team, or individual ownership. A manager sees only their unit's employees; an HR admin sees all employees.

Multi-Role Flexibility

Assign multiple roles to a single user. Their effective permissions are the union of all role permissions, enabling cross-functional access without custom role bloat.

Feature-Aware Permissions

When a module is disabled via feature flags, its permissions are automatically hidden. No stale permissions for features your organization doesn't use.

Who Benefits from Role & Permission Management

System Administrators

Create and manage custom roles, configure permissions and data scoping, and control which modules each role can access.

HR Managers

Use pre-built role presets (MANAGER, HR_STAFF, VIEWER) to quickly assign appropriate access levels to new team members.

Department Heads

Ensure team members have view or edit access only to their department's data using unit-scoped permissions.

L&D Administrators

Control who can create courses, manage quizzes, enroll learners, and view analytics through LMS-specific permission groups.

How Organizations Use Role & Permission Management

Department-Scoped HR Managers

An organization needs HR managers who can manage employees only within their own department, not across the entire company.

  • Department HR role with UNIT-scoped employee access
  • Full HR management permissions within the assigned org unit
  • No visibility into other departments' employee data
  • Multi-role assignment if an HR manager covers multiple units

Read-Only Auditors with Cross-Module Access

External auditors need view-only access across multiple modules for compliance review without the ability to modify any data.

  • Custom auditor role with view-only permissions across 8+ modules
  • ALL scope for complete data visibility during audit
  • No edit, create, or delete permissions assigned
  • Role can be removed after audit period ends

Training-Only Instructors

Instructors need to manage their own courses and quizzes but should not access HR data, employee records, or organizational settings.

  • Instructor role with LMS-only permissions (5 module groups)
  • OWN scope - instructors manage only their own courses and quizzes
  • No access to Employee, Org Unit, or Settings modules
  • Permission dependencies auto-enable prerequisite view permissions

How to Use Role & Permission Management

1

Create a Custom Role

Navigate to Role Management. Click 'Create Role' and enter a role name and description. The system checks your available role limit before creating.

Create a Custom Role
2

Assign Permissions by Module

Open the role's permission editor. Browse permissions organized into 40+ module groups. Toggle individual permissions on/off. The dependency confirmation modal auto-enables prerequisites.

Assign Permissions by Module
3

Configure Data Scoping

For each module, set the data access scope: OWN (own records), TEAM (direct reports), UNIT (org unit), ALL (everything), or CUSTOM (specific resource IDs).

Configure Data Scoping
4

Assign Roles to Users

Assign the role to users individually or in bulk. Users can hold multiple roles - effective permissions are the union of all assigned roles. Update assignments as team members change positions.

Assign Roles to Users

Complete Feature Breakdown

100+ Granular Permissions

Permissions are defined per module and collected into a central registry (ALL_PERMISSIONS). Each permission has a unique ID, English name, Vietnamese label, module key, resource type, and dependency list. The permission editor displays them grouped by module with search and expand/collapse controls.

Parent-Child Role Inheritance

Roles support parent-child relationships via the children array. Child roles inherit all permissions from their parent role. Use addChildRole/removeChildRole methods to dynamically manage the hierarchy. The alanning:roles Meteor package handles inheritance resolution.

Permission Dependencies & Auto-Enable

Each permission declares its dependencies (e.g., ROLE_UPDATE depends on ROLE_ONE_VIEW which depends on ROLE_LIST_VIEW). Enabling a permission triggers a dependency confirmation modal that shows and auto-enables all prerequisites. The system validates the entire permission set for consistency.

Data Access Scoping

The RolePermissionScopes collection stores scope configurations per role per module. Each scope config specifies a scope type and resource type. Scopes control data visibility: OWN (own records), TEAM (direct reports), UNIT (org unit members), ALL (full access), CUSTOM (specific resource IDs).

SME Role Presets

Three pre-built role presets provide starting points for common organizational roles. MANAGER (90+ permissions for team management), HR_STAFF (150+ permissions for full HR operations), and VIEWER (80+ view-only permissions). Each preset includes Vietnamese and English names, descriptions, icons, and color coding.

Feature Flag Integration

19+ feature flags map to permission module groups. When a feature is disabled (e.g., allowRecruitment = false), all permissions from that module are automatically hidden in the role editor. Core modules (Users, Roles, Courses, etc.) are always enabled regardless of feature flags.

Frequently Asked Questions

Common questions about Role & Permission Management

The system provides 100+ granular permissions organized into 40+ module groups. Module groups include: Employees, Org Units, Positions, Courses, Quizzes, Surveys, Enrollments, Certificates, Training Programs, Performance, Time Attendance, Compensation, Recruitment, Succession Planning, Lifecycle, Engagement, Meetings, AI, Automation, Career Pathing, Competency Framework, Skill Framework, Reports, System Settings, and more. Each module group contains 3-15 specific permissions (view, create, edit, delete, manage, export, etc.).
Yes. You can create unlimited custom roles (subject to your subscription's role limit). Each role has a name, description, and a set of permissions selected from the grouped permission checklist. You can also configure data access scoping per module and build parent-child inheritance hierarchies. The system includes 3 pre-built SME presets (MANAGER, HR_STAFF, VIEWER) that can serve as starting templates.
Roles support parent-child relationships. When you add child roles to a parent role, the parent inherits all permissions from its children. The alanning:roles Meteor package resolves inheritance chains. You can manage the hierarchy using addChildRole and removeChildRole methods. Changes to child roles automatically propagate to the parent's effective permissions.
Yes. Users can be assigned multiple roles simultaneously. Their effective permissions are the union of all permissions from all assigned roles. This is useful for cross-functional team members who need access across multiple departments or modules. You can assign roles individually or in bulk using addMultiUsersToRole.
Five scope types control data visibility per module per role: (1) OWN - user can only access their own records, (2) TEAM - access to direct reports' records, (3) UNIT - access to records within the assigned org unit, (4) ALL - full access to all records, (5) CUSTOM - access to specific resource IDs defined by the administrator. Scopes apply to 4 resource types: Employee, Org Unit, Position, and Employee Group.
Each permission can declare dependencies on other permissions. For example, ROLE_UPDATE depends on ROLE_ONE_VIEW, which depends on ROLE_LIST_VIEW. When you enable a permission, the system shows a dependency confirmation modal listing all prerequisites that will be auto-enabled. When disabling, getDependentPermissions() checks for downstream impacts. The system validates the full permission set for consistency using validatePermissionSet().
When a feature flag is disabled (e.g., allowRecruitment = false), all permissions belonging to that module group are automatically hidden from the role editor. Existing roles that had those permissions retain them in the database but they have no effect. Core modules (Users, Roles, Courses, Quizzes, Surveys, System Settings) are always enabled and their permissions are always visible.
Three SME role presets are pre-configured: (1) MANAGER - 90+ permissions for team management including viewing employees, approving time-off, and conducting reviews, (2) HR_STAFF - 150+ permissions for full HR management without system-level settings access, (3) VIEWER - 80+ view-only permissions across all enabled modules. The system also has a built-in admin role with full access. Each preset includes Vietnamese and English names, descriptions, FontAwesome icons, and color coding.

Control Access with Precision

Create custom roles with 100+ granular permissions, configure data access scoping per module, and build role hierarchies with automatic inheritance.

Start Free TrialSchedule Demo
View Documentation

Our Partners

Start connecting your data with Noovaation

Get DemoFree Trial
Noova Logo

Products

Noova Nền tảng giúp doanh nghiệp tạo và xây dựng hệ thống E-Learning cho đào tạo và phát triển nhân sự

Contact

  • VN-ELEARNING Technology Solutions JSC
  • 3rd Floor, No. 215 Giap Nhat, Thanh Xuan, Hanoi
  • Business Registration: 0109452237
  • Hotline: 1900 86 66 59
© 2024 Noova. All Rights ReservedPrivacy PolicyTerms of Service