Identity & Auth

Managing Roles & Teams

Roles and teams are the building blocks of access control in Full Fabric. Roles determine what a staff member can do by assigning features. Teams group staff members together and can optionally carry data access scopes that restrict which programmes and classes the team can see.

Roles

Viewing Roles

Navigate to Settings > Authorization to see all roles in the institution. Each role displays its name and the number of staff members currently assigned to it.

Full Fabric ships with a set of built-in staff roles based on standard substates (staff::admissions, staff::finance, staff::academic, etc.). Institutions can also create custom roles with a tailored set of features.

Creating a Custom Role

To create a new role:

  1. Go to Settings > Authorization.
  2. Click Add Role.
  3. Enter a name for the role.
  4. The role is created with no features — configure them in the next step.

Duplicating a Role

Instead of starting from scratch, you can duplicate an existing staff role to use it as a starting point:

  1. Select the role you want to copy.
  2. Click Duplicate.
  3. Give the new role a name.
  4. The new role inherits all features from the source role. Adjust them as needed.

Only staff:: roles can be duplicated. Admin and lifecycle roles (student, applicant, etc.) cannot be duplicated.

Assigning Features to a Role

Each role has a set of features that determine which actions users with that role can perform. To configure features:

  1. Select a role from Settings > Authorization.
  2. Toggle individual features on or off.
  3. Changes take effect immediately — the serialiser cache is cleared automatically.

Features can also be updated in batch, toggling multiple features at once.

Feature Dependencies

Features can include other features. For example, granting applications_change automatically includes applications_access (read-only access to applications). When you enable a feature, its dependencies are granted as well. See Features & Permissions for details.

Internal Features

Some features are marked as internal and are only visible to admin users. Custom staff roles cannot be granted internal features unless configured by an admin.

Deleting a Role

A role can only be deleted if no profiles are currently assigned to it. To delete a role:

  1. Reassign or remove the role from all staff members who have it.
  2. Select the role in Settings > Authorization.
  3. Click Delete.

If any profiles still hold the role, the delete operation is rejected.

Assigning Roles to Staff

Roles are assigned to staff members from the staff profile. When creating a new staff member, you select one or more roles during creation. Roles can also be added or removed from existing profiles.

A staff member can hold multiple roles simultaneously — for example, staff::admissions and a custom "Scholarship Reviewer" role. The effective permissions are the union of all features across all assigned roles.

Admin Role Restrictions

Admin roles (admin::*) grant full platform access and bypass feature checks entirely. Assigning an admin role to a staff member requires the assigning user to also hold an admin role.

Teams

Teams provide a way to group staff members. They serve two purposes:

  1. Organisational grouping — group staff by department, office, or function for easier management.
  2. Data access scoping — attach an access scope to a team so that all members inherit the same data visibility rules.

Viewing Teams

Navigate to Settings > Teams to see all teams. Each team displays its name and the number of staff members assigned to it.

Creating a Team

  1. Go to Settings > Teams.
  2. Click Add Team.
  3. Enter a name for the team.

Assigning Staff to Teams

Staff members are assigned to teams from their profile. A staff member can belong to multiple teams.

Access Scopes on Teams

Teams can carry a data access scope that restricts which programmes, classes, courses, and subjects the team's members can see.

How Team Scopes Work

  1. Navigate to the team in Settings > Teams.
  2. Click Add Access Scope.
  3. Use the segment builder to define which contexts (programmes, classes, themes, etc.) the team can access.
  4. Save. All team members now inherit this scope.

Scope Resolution

When Full Fabric checks a staff member's data access scope, it resolves in this order:

  1. If the staff member has a personal access scope (set on their profile under the Permissions tab), that scope is used.
  2. If not, Full Fabric checks the staff member's teams. The scope from the first team that has one is used.
  3. If neither the profile nor any team has a scope, the staff member has unrestricted access (filtered only by their feature permissions).

This means a personal scope always takes priority over a team scope. To use team-level scoping, ensure the staff member does not have a personal scope configured.

Removing a Team Scope

Removing the access scope from a team gives all members unrestricted access again (unless they have a personal scope or belong to another team with a scope).

The Support Team

Full Fabric includes a built-in Support team that cannot be renamed or modified. This team is reserved for Full Fabric support staff and is managed by the platform.

Required Permissions

Action Required feature
View, create, duplicate, delete roles authorization.roles_change
Add or remove features from roles authorization.roles_change
View, create, update teams authorization.teams_change
Configure access scopes on teams authorization.teams_change
Assign roles or teams to staff authorization.users_change
Previous
Managing Users
Next
Features & Permissions