PlaneConnection uses role-based access control (RBAC) to govern what users can see and do within the platform. Roles determine access to modules, features, and actions. The platform supports 24 distinct roles organized into five categories. The canonical role list is defined in the UserRole type and enforced by the ROLE_PERMISSIONS matrix.
User roles are distinct from crew roles. A user role governs platform access; a crew role defines an individual’s function on a specific flight.
Users can hold multiple roles simultaneously within a workspace. A user’s effective
permissions are the union of all their assigned roles. For example, a chief pilot who also serves
as safety manager would hold both chief_pilot and safety_manager roles, receiving the combined
permissions of both.
Role Categories
| Category | Roles | Purpose |
|---|
| Core Workspace | 3 | Canonical roles for organization-level operations. |
| SMS / Safety | 8 | Safety management system personnel per 14 CFR Part 5. |
| Operations | 8 | Flight operations, dispatch, maintenance, and crew management. |
| Portal | 3 | Customer-facing portal access scoped to the user’s own data. |
| System | 2 | Platform-level administration across workspaces. |
Core Workspace Roles
These three roles are always available regardless of which modules are enabled.
| Role | API Value | Description | Key Capabilities | Regulatory Basis |
|---|
| Account Owner | account_owner | Organization owner with full control. Every workspace has exactly one Owner. | Full access to all modules, all resources, all actions. Can delete the organization. Manages members, invitations, subscription, and billing. | — |
| Admin | admin | Organization administrator with near-full control. | Full access to all modules and resources. Can manage users, assign roles, configure workspace settings, manage integrations and API keys, view audit logs, and manage billing. Cannot delete the organization. | — |
| Staff | staff | Basic workspace member with limited access. | Submit safety reports (own), view own investigations, read risk assessments and analytics, manage own crew profile, view own flights and accounting, read aircraft and crew records. | — |
SMS/Safety Roles
These roles support the safety management system required by FAA 14 CFR Part 5. Several are regulatory designations defined in 14 CFR.
| Role | API Value | Description | Key Capabilities | Regulatory Basis |
|---|
| Pilot | pilot | Pilot or flight crew member. | Submit safety reports, view own investigations and CPAs, read risk assessments and analytics, manage own crew profile (logbook, schedule, currency), view own flights and maintenance items. | — |
| Safety Manager | safety_manager | Designated SMS manager responsible for day-to-day safety management. | Full SMS access: manage all reports, investigations, CPAs, risk assessments, and compliance. Configure analytics and AI insights. Access confidential reporter identity. Read-only access to ops data (flights, aircraft, crew, dispatch, maintenance). | 14 CFR 5.25 |
| Accountable Executive | accountable_executive | Senior executive with ultimate SMS accountability. | Read and approve investigations, risk assessments, CPAs, compliance items, and documents. Read-only access to all safety and ops data. Export compliance and accounting data. | 14 CFR 5.23 |
| Investigator | investigator | Personnel conducting safety investigations. | Create and manage investigations, risk assessments, CPAs, and reports. Read compliance, analytics, AI insights, documents, and training records. No ops module access. | — |
| Mechanic | mechanic | Maintenance personnel (mechanics, technicians). | Submit safety reports (own), read aircraft records, create and manage maintenance ops items (due items, discrepancies, MELs), manage own crew profile and training records. | — |
| External Reporter | external_reporter | External party submitting safety reports anonymously or confidentially. | Submit safety reports only. No access to any other module or resource. | — |
| Inspector | inspector | FAA inspector with read-only audit access. | Read and export all SMS data: reports, investigations, risk assessments, CPAs, compliance, analytics, and documents. Read-only access to ops, FBO, and maintenance data for comprehensive surveillance. No write access. | — |
| Auditor | auditor | Internal or external auditor for safety assurance. | Read and export all SMS and ops data: reports, investigations, risk assessments, CPAs, compliance, analytics, documents, flights, aircraft, crew, dispatch, maintenance, accounting, reservations, training. Read users and workspace settings. | 14 CFR 5.71 |
Operations Roles
These roles manage flight operations, crew, fleet, dispatch, and financial functions. Several are management positions defined in 14 CFR 119.69.
| Role | API Value | Description | Key Capabilities | Regulatory Basis |
|---|
| Director of Operations | director_of_operations | Head of flight operations with full ops authority. | Full access to flights, aircraft, crew, dispatch, maintenance ops, owner portal, reservations, and training. Read and export SMS data. Create and manage accounting and passengers. Configure workspace settings. | 14 CFR 119.69 |
| Chief Pilot | chief_pilot | Chief pilot overseeing flight crew operations. | Full crew and training management. Create and manage flights, passengers, accounting, and reservations. Read aircraft, dispatch, and maintenance data. Read and export SMS data. Configure analytics. | 14 CFR 119.69 |
| Director of Maintenance | director_of_maintenance | Head of maintenance operations. | Full aircraft and maintenance ops management. Create accounting entries and exports. Read flights, crew, dispatch, training, compliance, and analytics. Submit own safety reports. | 14 CFR 119.69 |
| Dispatcher | dispatcher | Flight dispatcher or scheduling coordinator. | Full dispatch access. Create and manage flights, passengers, reservations, and documents. Read aircraft, crew, and maintenance data. Submit own safety reports. Create accounting entries. FBO access for ground handling coordination. | — |
| Owner | owner | Aircraft owner with portal access scoped to owned aircraft. | Full owner portal access. Read own flights, aircraft, maintenance, and accounting — scoped to owned aircraft IDs only. | — |
| Second in Command | sic | Second in command (co-pilot). | Same base permissions as Pilot: submit safety reports (own), view own flights and investigations, read aircraft and crew, manage own crew profile and training records. | 14 CFR 61.55 |
| Cabin Crew | cabin_crew | Flight attendant or cabin crew member. | Submit safety reports (own), view own flights, read aircraft and passenger records, read documents, manage own crew profile and training records. | — |
| Sole Proprietor | sole_proprietor | Individual operator wearing all hats. | Near-full access to SMS and ops: manage reports, investigations, risk assessments, CPAs, compliance, flights, aircraft, crew, dispatch, maintenance, accounting, reservations, training. Manage users (no delete). Configure workspace settings. | 14 CFR 5.9(e) |
Portal Roles
Portal roles are scoped to customer-facing portals. They cannot access operator-side modules (safety, ops, FBO staff, dispatch, crew, or settings). Portal users access the platform at /{workspace}/portal.
| Role | API Value | Description | Key Capabilities | Regulatory Basis |
|---|
| FBO Customer | fbo_customer | FBO customer with portal access. | Manage own reservations, invoices, profile, vehicle rentals, household members, and payment methods through the FBO Customer Portal. | — |
| Passenger | passenger | Passenger with portal access. | View own trips, manage profile, upload documents, and communicate with the operations team through the Passenger Portal. | — |
| Charter Client | charter_client | Charter client with portal access. | Submit trip requests, review and accept quotes, manage passengers, view invoices, and message the operations team through the Charter Client Portal. | — |
Portal-only roles that attempt to access operator-side routes receive a redirect to the sign-in
page rather than a 403 error.
System Roles
System roles operate above the workspace level and are managed by PlaneConnection staff. They cannot be assigned by workspace administrators.
| Role | API Value | Description | Key Capabilities | Regulatory Basis |
|---|
| System Administrator | system_administrator | System-wide administrator for a PlaneConnection deployment. | Full access to all resources within a workspace. Manage platform-level workspaces. Read and export platform audit logs and analytics. | — |
| Platform Admin | platform_admin | PlaneConnection super-admin with cross-workspace access. | Unrestricted access across all workspaces. Full access to all resources, platform workspaces, audit, and analytics. Can impersonate users for troubleshooting. | — |
Role Hierarchy
Roles do not follow a strict linear hierarchy. Different roles have domain-specific depth that does not fully overlap. The following shows general access breadth:
Platform Admin / System Administrator
|-- Account Owner = Admin
|-- Sole Proprietor (SMS + Ops combined)
|-- Safety Manager (full SMS)
| |-- Investigator (subset of SMS)
|-- Director of Operations (full Ops)
| |-- Chief Pilot (crew + training focus)
| |-- Director of Maintenance (aircraft + maintenance focus)
| |-- Dispatcher (scheduling + dispatch focus)
|-- Accountable Executive (read + approve across SMS and Ops)
|-- Auditor (read + export across SMS and Ops)
|-- Inspector (read + export SMS only)
Pilot = SIC = Staff (own-record access)
Mechanic (own records + maintenance ops)
Cabin Crew (own records + passenger read)
External Reporter (submit reports only)
Portal: FBO Customer | Passenger | Charter Client (own portal data only)
| Relationship | Description |
|---|
| Account Owner = Admin | Both have full access. Account Owner can additionally delete the organization. |
| Safety Manager vs Director of Operations | Safety Manager has full SMS + read Ops. DO has full Ops + read SMS. Neither is a superset of the other. |
| Sole Proprietor | Combines most Safety Manager and DO permissions for single-person operations. |
| Investigator | Permissions are a subset of Safety Manager (no compliance management, no confidential identity access). |
| Pilot = SIC = Staff | Same base permissions: own-record access across modules. |
| Auditor vs Inspector | Auditor has read/export across SMS and Ops. Inspector is limited to SMS read/export. |
API Role Hierarchy
The REST API uses a numeric role hierarchy for coarse-grained access checks (higher number = more privileges). This is separate from the fine-grained permission matrix used in the main app:
| Level | Roles |
|---|
| 8 | Platform Admin |
| 7 | System Administrator |
| 6 | Admin, Director of Operations, Accountable Executive |
| 5 | Safety Manager, Chief Pilot, Director of Maintenance, Sole Proprietor |
| 4 | Investigator, Dispatcher, Staff |
| 3 | Pilot, Mechanic, Cabin Crew |
| 2 | Owner, Auditor, Inspector |
| 1 | FBO Customer, External Reporter |
The API uses this numeric hierarchy for access control checks. The main application uses a full
permission matrix for resource-level access control, which is more granular than numeric levels.
Multi-Role Support
Users can hold multiple roles simultaneously within a workspace. This is common in smaller operations where personnel serve multiple functions:
- A chief pilot who is also the safety manager holds both
chief_pilot and safety_manager roles.
- A director of operations who handles dispatch holds both
director_of_operations and dispatcher roles.
- A sole proprietor may additionally hold
safety_manager to gain confidential identity access.
The effective permissions are the union of all assigned roles. If any role grants an action on a resource, the user has that permission. Multi-role assignments are managed on the Members page under Settings.
Beyond multi-role assignment, PlaneConnection also supports permission
sets — composable permission bundles that layer
additional capabilities on top of a user’s base role without assigning an entirely new role. Module-Based Role Availability
Not all roles are available in every workspace. Roles are tied to modules, and only roles whose module is enabled appear in the role assignment dropdown:
| Module Requirement | Roles |
|---|
| Always available | Account Owner, Admin, Staff, Pilot, Accountable Executive, Mechanic, Auditor, Sole Proprietor |
| Safety module enabled | Safety Manager, Investigator, External Reporter, Inspector |
| Ops module enabled | Director of Operations, Chief Pilot, Director of Maintenance, Dispatcher, Owner, SIC, Cabin Crew |
| Portal module enabled | FBO Customer, Passenger, Charter Client |
| System (internal only) | System Administrator, Platform Admin |
Module availability determines which roles appear in the role assignment dropdown. Roles marked
“always available” appear regardless of which modules are enabled. The getAvailableRoles()
function filters the dropdown based on a workspace’s enabled modules.Cross-module access: Roles are not restricted to a single module. A role can access any module
where it has permissions in the permission matrix. For example, a dispatcher (ops role) can access
the FBO module because the permission matrix grants fbo: ["create", "read", "update"]. Module
access is determined by permissions, not by role category. See ADR-012
for the design rationale. Role Assignment Rules
| Rule | Description |
|---|
| Multi-role support | Each user can hold one or more roles within a workspace. |
| Multi-workspace support | A user may belong to multiple workspaces with different roles in each. |
| Assignment authority | Only Account Owner and Admin users can assign or change roles within their workspace. |
| Last admin protection | The last Account Owner/Admin in a workspace cannot be downgraded or removed. |
| System roles | platform_admin and system_administrator cannot be assigned by workspace administrators. |
| Module gating | Only roles whose module is enabled in the workspace can be assigned. |
Permissions Matrix
Full feature-by-role permissions matrix and permission sets.
Manage Users
Invite users, assign roles, and manage access.
Crew Roles
Operational crew role definitions (distinct from user roles).
Multi-Tenancy
How workspaces and data isolation work.
