Permissions¶
Control who sees what. Every organization is unique in how they manage data access. Grit Platform provides comprehensive, multi-layered security controls that let you precisely define who can see and edit information across your entire business.
- There are two types of permissions: PROFILES and GROUPS .
- Groups and profiles work like security groups in traditional systems. Each user has one profile that defines their base permissions, plus optional groups that grant additional access.
- When combining permissions, the rule is Additive OR. If User A gets another Group that doesn't include "Edit Post", he STILL keeps that ability from his Profile. Groups cannot take away what's already granted.
Use Cases¶
By Industries¶
- Healthcare Compliance: Restrict patient data access to care teams only. Hide medical records from billing staff while showing insurance information.
- Financial Services: Separate client portfolios between advisors. Give compliance officers read-only access to all transactions for auditing.
- Multi-Brand Retail: Isolate data between brand teams while giving executives cross-brand visibility for strategic decisions.
- Global Operations: Enforce data residency by region. European teams see only EU data while maintaining global reporting capabilities.
- Partner Portals: Give external partners access to specific projects without exposing internal operations or other client data.
- M&A Integration: Gradually merge data access between acquiring and acquired companies with controlled, phased permissions.
Sales Team Data Access¶
| Role | What They Can See | What They Can Do |
|---|---|---|
| Sales Rep | Own accounts and opportunities | Full control of their sales records |
| Finance Team | Deal amounts, not customer details | Full control of their financial records |
Data Models¶
PROFILES¶
One User can only have one Profile.
Definition
class VisibilityItemTypedDict(TypedDict):
visible: bool
class TabVisibilityItemTypedDict(TypedDict):
visibility: Literal['visible', 'hidden']
class ModelPermissionsTypedDict(TypedDict):
allow_create: NotRequired[bool]
allow_read: NotRequired[bool]
allow_edit: NotRequired[bool]
allow_delete: NotRequired[bool]
class ProfileConfigTypedDict(TypedDict):
app_visibilities: NotRequired[Dict[str, VisibilityItemTypedDict]]
tab_visibilities: NotRequired[Dict[str, TabVisibilityItemTypedDict]]
model_permissions: NotRequired[Dict[str, ModelPermissionsTypedDict]]
class AppMetadataSettingsTypedDict(TypedDict):
PROFILES: NotRequired[Dict[str, ProfileConfigTypedDict]]
Example
# app/settings.py
from core.types import AppMetadataSettingsTypedDict
APP_METADATA_SETTINGS: AppMetadataSettingsTypedDict = {
'PROFILES': {
'standard_view': {
'model_permissions': {
'post': {
'allow_create': False,
'allow_read': True,
'allow_edit': False,
'allow_delete': False
},
'asset': {
'allow_create': False,
'allow_read': True,
'allow_edit': False,
'allow_delete': False
}
},
'app_visibilities': {
'cms': {
'visible': True
}
},
'tab_visibilities': {
'post': {
'visibility': 'visible'
},
'asset': {
'visibility': 'visible'
}
}
}
}
}
GROUPS¶
One User can have more than one Group.
Definition
class VisibilityItemTypedDict(TypedDict):
visible: bool
class TabVisibilityItemTypedDict(TypedDict):
visibility: Literal['visible', 'hidden']
class VisibilityConfigTypedDict(TypedDict):
app_visibilities: NotRequired[Dict[str, VisibilityItemTypedDict]]
tab_visibilities: NotRequired[Dict[str, TabVisibilityItemTypedDict]]
class AppMetadataSettingsTypedDict(TypedDict):
GROUPS: NotRequired[Dict[str, VisibilityConfigTypedDict]]
Example
# app/settings.py
from core.types import AppMetadataSettingsTypedDict
APP_METADATA_SETTINGS: AppMetadataSettingsTypedDict = {
'GROUPS': {
'cms': {
'app_visibilities': {
'cms': {
'visible': True
}
},
'tab_visibilities': {
'post': {
'visibility': 'visible'
},
'asset': {
'visibility': 'visible'
}
}
}
}
}