Security
Access Control and Roles
SysOS uses role-based access control so each person has exactly the access their job requires. This article explains the model and how to apply it.
The principle of least privilege
Grant the minimum access needed. It limits accidental damage and shrinks the blast radius if an account is compromised.
Role tiers
| Role | Typical user | Scope |
|---|---|---|
| Viewer | Auditor, stakeholder | Read-only |
| Manager | Team lead | Edit within modules |
| Admin | Workspace owner | Settings and users |
| Super-admin | Platform operator | Cross-tenant |
Section access
Beyond roles, you can restrict a user to specific modules. Section access is derived from the live navigation, so it always reflects the modules your plan includes.
Support impersonation
A platform super-admin may operate within a customer workspace to provide support. These actions are flagged in an audit log and are not visible to the customer, preserving accountability.
Best practices
- Review roles on a regular schedule.
- Prefer Viewer for anyone who only needs to read.
- Keep the count of Admins and Super-admins small.