Dashboard access can be managed via two mechanisms - group sections and group permissions.
Sections
Sections are a high-level way to classify groups and their access level and help manage notifications.
A group can belong to one of two sections - either User section or Admin section.
User section groups can access the end-user facing apps such as the web or mobile app. Blocked from accessing the Admin Dashboard.
Admin section groups can access the admin facing Admin Dashboard.
Groups also have more granular permissions that further control their access and abilities - for example, the support group is an admin-section group, but has reduced admin permissions compared to the main admin group.
Group permissions
Rehive offers two sets of permissions on a group - admin and user.
Admin permissions dictate what actions a user can take and what information they can access in the admin API and through the Dashboard. Admin permissions give users the ability to do actions on other users.
User permissions dictate what actions a user can take and what info they can access on their own user.
The admin group has all admin and user permissions by default. Any group created through the Dashboard has all user permissions by default.
Available permissions
All permissions have 4 possible actions that can be performed on a resource. A resource is any defined object in Rehive such as a transaction, account, user etc.
View - is allowed to view this resource
Add* - is allowed to add/create this resource.
Change* - is allowed to edit this resource.
Delete** - is allowed to delete this resource.
*Add and change are not available for all resources.
**Delete is disabled or limited for several resources, but some have an archive option.
Admin permissions are available for the following resources:
Resource | Description |
Access control rule | Can view, add, change or delete access control rules on the project. |
Account definition | Can view, add, change or delete* account definitions on the project. |
Account | Can view, add, change or delete* all user accounts and standalone accounts on the project. |
Address | Can view, add, change or delete all addresses on all users. |
Bank account | Can view, add, change or delete all external user bank accounts added to a user, on all users. |
Currency | Can view, add, change or delete* currencies on the project. |
Company | Can view, change or delete values on the company object, such as company info, company settings, and company bank accounts. |
Crypto account | Can view, add, change or delete all external user crypto accounts added to a user, on all users. |
Device | Can view, add, change or delete all external devices added to a user, on all users. Devices on a user are used for push notifications. |
Document | Can view, add, change or delete all external user documents uploaded to a user, on all users. |
Can view, add, change or delete** email addresses on all users. | |
Group | Can view, add, change or delete* groups on the project. Cannot delete admin or service groups. Can also edit all group resources such as tiers, fees, limits, subtype controls, users and permissions for the group. |
Legal term | Can view, add, change or delete legal terms for the project. Legal terms refer to privacy policies, terms and conditions etc. which end-users need to accept. |
MFA | Can view, add, change or delete access to creating multi-factor authenticators on all users. |
MFA rule | Can view, add, change or delete rules that can be applied to challenge users for MFA. |
Mobile | Can view, add, change or delete** all mobile numbers added to a user, on all users. |
Notification | Can view or change platform notifications on the project. |
Request | Can view request logs on the project. |
Service | Can view, add, change or delete an extension on the project. Can only delete extensions they added. |
Token | Can view, add, change or delete API tokens for any user. |
Transaction | Can view, add, change or delete* any transaction on the project. Also allowed to create transaction collections. Also allowed to create transaction messages. |
Transaction subtypes | Can view, add, change or delete* any subtype on the project. |
User | Can view, add, change or delete* any user on the project. |
Webhook | Can view, add, change or delete all webhooks on the project. |
*Delete not available, only archive.
**Primary one cannot be deleted.
User permissions are available for the following resources:
Resource | Description |
Account definition | Can view account definitions. |
Account | Can view, add or change user accounts and standalone accounts. Users can only add an account if it is available to the group via an account definition. |
Address | Can view, add, change or delete addresses on themselves. |
Bank account | Can view, add, change or delete external user bank accounts added to themselves. |
Currency | Can view currencies on the project. |
Company | Can view values on the company object, such as company info and company bank accounts. |
Crypto account | Can view, add, change or delete external user crypto accounts added to themselves. |
Device | Can view, add, change or delete external devices on themselves. Devices on a user are used for push notifications. |
Document | Can view or add external user documents uploaded to themselves. |
Can view, add or delete** email addresses on themselves. | |
Group | Can view the group they are in. |
Legal term | Can view or change (accept/decline) legal terms that apply to their group. |
MFA | Can view, add, change or delete MFA on themselves. |
Mobile | Can view or add or delete** mobile numbers on themselves. |
Token | Can view, add, change or delete tokens on themselves. |
Transaction | Can view or add transactions on themselves. Also allowed to create transaction collections. Also allowed to create user transaction messages. |
Transaction subtypes | Can view subtypes on the project. |
User | Can view or change their own user info. |
*Delete not available, only archive.
**Primary one cannot be deleted.
Admin permission limitations
Only users in the protected admin group can access admin endpoints/functionality in Extensions. Users not in the protected admin group will not be able to view or change Extensions in the Admin Dashboard.