Authorization (HRM)
Authorization (HRM) defines Raytio's access control model. It covers user roles, role hierarchy, permissions, authorization policies, relationship-based access, and menu visibility.
Authorization (HRM) defines Raytio's access control model. It covers user roles, role hierarchy, permissions, authorization policies, relationship-based access, and menu visibility.
Raytio's authorization model combines role-based permissions, relationship-based access, policy exceptions, and menu visibility. Together these controls determine what a user can do, which records they can access, and which actions appear in the interface.
Authorization policies provide a rule-based layer of access control that sits alongside the role hierarchy and permissions system. Policies define explicit PERMIT or FORBID rules for specific principals performing specific actions on specific resources. They are particularly useful for fine-grained exceptions — granting or denying access that does not fit neatly into the role-based model.
Permissions define what operations a role can perform on which resource groups. They are the primary mechanism for controlling day-to-day access, determining whether a user can view, create, edit, or delete records in a given business area. The permission system distinguishes between ALL_RECORDS scope (access to every record in the tenant) and OWN_RECORDS scope (access only to records the user owns or that have been shared with them).
Role groups are the mechanism by which the role hierarchy is represented for relationship-based access. Each role becomes a group, and parent-child relationships between roles become parent relationships between groups. The authorization model resolves these transitively, so a user assigned to a single role automatically inherits access from every ancestor in the hierarchy.
Role menus control what users see in the Raytio UI. Each role is assigned one or more menus, and the menu entries within those menus determine which navigation items, actions, and features are visible. This ensures that users only see parts of the interface that are relevant to their role and that they are authorised to use.
Roles are the foundation of Raytio's access control model. Every user is assigned one or more roles, and those roles determine what the user can do, what they can see, and what appears in their UI. Roles are organised into a hierarchy where child roles inherit from parent roles, creating a layered permission structure.