Skip to main content
This matrix defines the actions available to each user role across all PlaneConnection modules. Permissions are enforced at both the UI and API layers — the UI hides inaccessible elements, and the API rejects unauthorized requests regardless of how they are made.

Legend

SymbolMeaning
FullCreate, read, update, and delete.
EditCreate, read, and update. No delete.
ReadRead-only access.
OwnAccess limited to records the user owns or is assigned to.
No access.
| Action | Admin | Safety Manager | Investigator | Pilot | Dispatcher | Auditor | Inspector | |--------|:-----:|:-----:|:------------:|:-----:|:----------:|:------:|:--------:| | Submit safety reports | Full | Full | Edit | Edit | Edit | — | — | | View all safety reports | Full | Full | Read | Own | Own | Read | Read | | Review and triage reports | Full | Full | — | — | — | — | — | | Manage report statuses | Full | Full | — | — | — | — | — | | Delete safety reports | Full | Full | — | — | — | — | — | | Export reports | Full | Full | — | — | — | Read | Read | | Create investigations | Full | Full | Full | — | — | — | — | | Manage investigations | Full | Full | Full | — | — | — | — | | View investigations | Full | Full | Read | Own | Own | Read | Read | | Create CPAs | Full | Full | Full | — | — | — | — | | Manage CPA statuses | Full | Full | Full | — | — | — | — | | Verify CPAs | Full | Full | — | — | — | — | — | | View CPAs | Full | Full | Read | Read | — | Read | Read | | Perform risk assessments | Full | Full | Full | — | — | — | — | | View risk assessments | Full | Full | Read | Read | Read | Read | Read | | Manage compliance | Full | Full | — | — | — | — | — | | View compliance dashboards | Full | Full | Read | — | — | Read | Read | | Generate Part 5 reports | Full | Full | — | — | — | Read | Read | | View confidential identity | Full | Full | — | — | — | — | — | | Manage safety training | Full | Full | — | — | — | — | — | | View own training records | Full | Full | Read | Read | — | Read | — |

Special Permissions

Certain actions require explicit authorization beyond the standard CRUD model.
PermissionDescriptionRoles
ApproveApprove reports, investigations, CPAs, risk assessments, compliance items, or documents for progression.Admin, Account Owner, Safety Manager, Accountable Executive, Sole Proprietor
AssignReassign investigations or CPAs to other personnel.Admin, Account Owner, Safety Manager, Sole Proprietor
ExportExport data to CSV, PDF, or external systems.Admin, Account Owner, Safety Manager, DO, Chief Pilot, DOM, Dispatcher, Auditor, Inspector, Sole Proprietor, Accountable Executive
ConfigureModify system configuration (SPIs, analytics, AI insights, workspace settings).Admin, Account Owner, Safety Manager, DO, Sole Proprietor, Chief Pilot
ImpersonateAct as another user for troubleshooting.Platform Admin only

Distinguishing Admin-Level Roles

PlaneConnection has four roles with broad administrative capabilities. Understanding the differences is important for proper role assignment.
RoleScopeKey Difference
platform_adminCross-workspacePlaneConnection staff only. Unrestricted access across all workspaces. Can impersonate users. Cannot be assigned by workspace administrators.
system_administratorCross-workspaceSystem-level administrator. Full access to all resources plus platform-level workspace management, audit, and analytics. Cannot be assigned by workspace administrators.
account_ownerSingle workspaceOrganization owner. Full access within the workspace. Can delete the organization. Each workspace has exactly one Owner.
adminSingle workspaceOrganization administrator. Full access within the workspace except organization deletion. Multiple Admins per workspace.
For most flight departments, the Account Owner role is assigned to the principal operator or accountable executive, and Admin roles are assigned to operations managers and safety directors who need full platform access.

Permission Sets

Permission sets are composable permission bundles that layer additional capabilities on top of a user’s base role. They provide flexibility for organizations whose management structures do not map cleanly to a single role.
Effective permissions = Union(base role permissions, all assigned permission sets). Permission sets can only add capabilities — they cannot remove permissions granted by the base role.

How Permission Sets Work

A permission set defines a map of resources to actions, just like a role does. When assigned to a user, the set’s permissions are merged with the user’s base role permissions. If any source (base role or any assigned set) grants an action on a resource, the user has that permission.

Creating and Managing Permission Sets

Permission sets are managed under Settings > Permission Sets by Admin or Account Owner users:
  1. Create a permission set with a name, description, and permissions JSON mapping resources to allowed actions.
  2. Assign the set to one or more users. A user can have multiple sets assigned simultaneously.
  3. Revoke a set from a user when access is no longer needed. Revocations are soft-deleted, preserving the audit trail.
  4. Delete a custom set when it is no longer needed. All user assignments are automatically removed.

System vs Custom Sets

TypeEditableDeletableDescription
SystemDescription onlyNoPre-defined sets created by PlaneConnection. Name and permissions are locked.
CustomFullyYesCreated by workspace administrators. Fully editable and deletable.

Regulatory Constraint

Access to confidential reporter identity (confidential_identity resource) is exclusively controlled by the base role matrix per 14 CFR 5.21(a)(4). Only the Safety Manager role has this access. Permission sets cannot grant or widen access to reporter identities — the confidential_identity key is automatically stripped from any permission set before it is saved.

Example Use Cases

ScenarioBase RolePermission Set
Dispatcher who needs to manage aircraft maintenance itemsdispatcherGrant maintenance_ops: [create, read, update]
Pilot who needs read access to all crew recordspilotGrant crew: [read]
Staff who needs to view compliance dashboardsstaffGrant compliance: [read]
All permission set operations are logged to the workspace audit log.

Ops-RBAC: Financial Access and Aircraft Scoping

The Operations module adds two additional permission layers beyond the standard RBAC matrix: financial access gating and aircraft scoping.

Financial Access

The accounting resource is gated by financial access. Users without financial access cannot read financial data (invoices, expenses, payment records, revenue), even if their base role includes accounting: [read]. Financial access is granted in two ways:
MethodDescription
Implicit (by role)Certain roles automatically have financial access: Director of Operations, Chief Pilot, Accountable Executive, Director of Maintenance, Sole Proprietor, System Administrator, Platform Admin, Owner, Dispatcher, and Auditor.
Explicit (by flag)Any user can be granted financial access via the financial_access flag, set by a workspace Admin under Settings > Members.
Users without financial access can still perform non-read actions on accounting if their base role permits it. For example, a pilot can submit their own expenses (accounting: [create]) without having visibility into all financial data. A safety manager can create accounting entries without seeing revenue or invoice details.

Aircraft Scoping (Owner Role)

The owner role is scoped to specific aircraft. When an aircraft owner accesses flights, aircraft records, maintenance items, or accounting data, the platform automatically filters results to only the aircraft they own.
Query TypeBehavior
List queriesResults are filtered to auth.ownedAircraftIds
Single-resource routesAccess is denied (403) if the aircraft is not in the owner’s scope
Non-owner rolesNo scoping applied — access is determined by the standard RBAC matrix
Aircraft ownership is managed under Settings > Members by assigning aircraft IDs to the aircraft owner’s profile.

Portal-Scoped Roles

Three roles are scoped exclusively to customer-facing portals and cannot access any operator-side module:
RolePortalAccess
fbo_customerFBO Customer PortalOwn reservations, invoices, profile, vehicle rentals, household members, and payment methods.
passengerPassenger PortalOwn trips, profile, documents, and messages.
charter_clientCharter Client PortalOwn trips, quotes, invoices, passengers, and messages.
Portal roles access the platform at /{workspace}/portal through a dedicated login. They see only their own data and cannot navigate to operator-side routes. Attempting to access an operator route results in a redirect to the sign-in page.
Portal users are external to the organization and should never be assigned internal workspace roles. Portal roles have no permissions defined in the internal RBAC matrix — their access is enforced through dedicated portal route handlers.

Notes

  • Own access means the user can only access records where they are the author, assignee, or a member of the assigned crew.
  • The platform_admin role (PlaneConnection staff only) has unrestricted access across all workspaces and is not subject to workspace-level permission checks. It is omitted from the matrices above for clarity.
  • The system_administrator role has full access to all resources plus platform workspace management. It is also omitted from the per-module matrices for clarity.
  • The Accountable Executive role has read and approve access across most SMS and ops resources but cannot create or manage records directly. This reflects the oversight nature of the role per 14 CFR 5.23.

User Roles

All 24 role definitions, scope, and assignment rules.

Manage Users

Invite users and assign roles.

Crew Roles

Operational crew roles (distinct from platform user roles).

Multi-Tenancy

Workspace isolation and data scoping.
Last modified on April 11, 2026