Roles & access

Edu Flick ships with seven built-in roles. Every screen, every API endpoint, every report is gated by role-based access control — and yes, you can rename them, split them, or add new ones to fit your school (e.g. Vice Principal, Head of Department, Lab In-charge).

RBAC live Server-enforced Extendable

Seven roles. Three layers of enforcement.

Route guards on the front. Policy checks at the API. Tenant filters at the row. Audit log on every sensitive write.

Need a role we don't list? Vice Principal, HoD, Coordinator, Bursar, Librarian, Lab In-charge, board observer — anything. We'll add it to your tenant with custom permissions, audited the same way.

Request role

The seven built-in roles

SA

Super Admin

School owner · IT lead

Full access to everything, including system settings, role definitions, and audit log.

Settings Users Audit All ops

P

Principal

Head of school

Full operational access. Reviews + signs off on results, certificates, admissions. No system settings.

All ops Sign-off Audit-view

T

Teacher

Class & subject teachers

Their classes, their students, their attendance, their subjects' marks. Scope follows the assignment table — no manual permission grants.

Attendance Marks Homework Announce

A

Accountant

Finance staff

Finance ops + read access to students/staff. Hooks into fees + payroll arriving in Phase 2.

Fees (P2) Payroll (P2) Students:read

HR

HR

HR & admin staff

Staff records, admissions intake, attendance registers, certificate issuance, support-staff payroll.

Staff Admissions Staff att. Certs

S

Student

Pupil

Own profile, attendance, results, homework, syllabus progress. Read-only everywhere else.

My profile My results My HW

PR

Parent

Guardian

Linked child's profile, attendance, results, fees (Phase 2), announcements addressed to them.

Child view Fees (P2) Messages

+

Custom roles

Tailored to your school

Need a Vice Principal, Department Head, Lab In-charge, Bursar, or Librarian role? We add it with a custom permission set — scoped, audited, and rolled out only to your tenant.

On request

How access is enforced

Defence in depth

• At the route: Angular guards check the user's role before the page loads. Unauthorised users see a dedicated Forbidden screen, not a half-rendered page.
• At the API: every controller action enforces role policy on the server. Front-end checks are never the last line.
• At the row: a tenant filter scopes every query to the user's SchoolId. Cross-school data leakage is impossible by construction.
• In the audit log: every sensitive write records who, when, before, after. Append-only, 7-year retained.

Where it can grow

Tailored to you

• Rename built-in roles to your local terminology (e.g. Principal → Headmaster).
• Split a role into multiple personas with different permission sets (e.g. Senior Teacher vs Junior Teacher).
• Add brand-new roles for your governance model (board members, audit observers, exam controller).
• Custom dashboards per role — surface the cards each persona actually needs first.
• SSO with your existing identity provider (Google Workspace, Microsoft Entra) on request.

Where AI fits

• Natural-language search scoped to each role's RBAC — a Teacher's "Show me students below 60% this term" is filtered to their classes automatically.
• Suggested permission baselines when you add a new role — Edu Flick AI proposes a starting set from similar roles, you approve before saving.
• Audit-log anomaly detection — surfaces unusual access patterns to the Super Admin.