Permission Matrix Deep Dive
Appello's permission system provides granular control over what each user role can access across 65+ permission domains. This guide explains the permission structure, common role configurations, and how to use department-based scoping to restrict data visibility.
Permission Architecture
Appello uses a role-based access control (RBAC) model:
User → Role → Permission Matrix → Access Decision
Every user is assigned exactly one role. The role's permission matrix determines their access to every feature, module, and data field across the platform.
Permission Levels
Each permission domain supports up to four access levels:
| Level | Symbol | Description |
|---|
| View | 👁️ | Can see the data but not modify it |
| Create | ➕ | Can create new records |
| Edit | ✏️ | Can modify existing records |
| Delete | 🗑️ | Can remove records |
Some domains have additional special permissions (e.g., "Approve" for timesheets, "Export" for reports).
Permission Domains by Category
Operations (12 domains)
| Domain | Controls |
|---|
| Projects | Create, view, edit, delete projects |
| Jobs | Create, view, edit, delete jobs |
| Job Notes | Create, view, edit notes on jobs |
| Job Files | Upload, view, download, delete files |
| Job Photos | Upload, view, manage photos |
| Cost Codes | Manage cost codes on jobs |
| RFI | Create and manage Requests for Information |
| Documents & Policies | Access company-wide documents |
| Activity Feed | View the notes activity feed |
| Job Financial Data | View financial summaries on jobs |
| Job Settings | Configure job-level settings |
| Map | Access the administrative map view |
Scheduling (6 domains)
| Domain | Controls |
|---|
| Job Schedule | View and manage the job schedule |
| Calendar Schedule | Access the calendar view |
| User Workforce Schedule | View and assign in the user schedule |
| Daily Workforce | Access the daily workforce view |
| Schedule Notifications | Send schedule change notifications |
| Schedule Multi-User | Assign multiple workers or crews at once |
Workforce Admin (8 domains)
| Domain | Controls |
|---|
| Timesheets | View, approve, reject timesheets |
| Bulk Timesheet Entry | Use the bulk entry interface |
| Timesheet Export | Export timesheets for payroll |
| Leave Requests | View and approve leave requests |
| Employee Expenses | View and approve expenses |
| Clock In/Out Report | Access clock-in/out tracking |
| Timesheet Report | Access the timesheet report |
| Payroll Report | Generate payroll reports |
CRM & Sales (6 domains)
| Domain | Controls |
|---|
| Companies | Manage company records |
| Contacts | Manage contact records |
| Estimates | Create and manage estimates |
| Change Orders | Create and approve change orders |
| Sales Pipeline | Access pipeline tracking |
| Quote Letters | Generate quote letters |
Finance (8 domains)
| Domain | Controls |
|---|
| Invoices | Create and manage invoices |
| Progress Reports | Generate progress billing reports |
| Accounts Payable | View and manage AP |
| Accounts Receivable | View and manage AR |
| Job Financial Summary | View financial summaries |
| Budget vs Actual | Access cost tracking reports |
| Financial Settings | Configure financial parameters |
| QuickBooks Sync | Manage QBO integration |
Forms (5 domains)
| Domain | Controls |
|---|
| Form Builder | Create and edit form templates |
| Form Inbox | Review submitted forms |
| Form Report | Access form analytics |
| Form Assignment | Assign forms to jobs |
| Mobile Forms | Submit forms via mobile |
Equipment & Training (4 domains)
| Domain | Controls |
|---|
| Equipment | Manage equipment records |
| Equipment Inspection | Manage inspection records |
| Certifications | Manage certification records |
| Training Providers | Manage training provider records |
Settings & Admin (10+ domains)
| Domain | Controls |
|---|
| User Management | Create and manage user accounts |
| Roles & Permissions | Configure roles (admin only) |
| HR Settings | Union halls, agreements, travel, leave |
| Property Settings | Configurable data model |
| Instance Settings | System-wide configuration |
| Business Settings | Company info and financial defaults |
| Notification Control | Notification preferences |
| API Credentials | OAuth apps and API keys |
| System Logs | Audit log viewer |
| Integrations | Third-party integrations |
Mobile Application (6 domains)
| Domain | Controls |
|---|
| Mobile Schedule | View schedule on mobile |
| Mobile Timesheets | Submit timesheets on mobile |
| Mobile Notes | Create notes on mobile |
| Mobile Forms | Fill forms on mobile |
| Mobile Leave | Request leave on mobile |
| Mobile Expenses | Submit expenses on mobile |
Department-Based Scoping
Beyond module access, permissions can be scoped by department:
| Scope | What the User Sees |
|---|
| All Departments | Data across the entire organization |
| Own Department | Only data related to their department |
| Chain of Command | Their department and all child departments |
Example Scenarios
| Role | Department Scope | Effect |
|---|
| Admin | All Departments | Sees everything |
| Insulation Foreman | Mechanical Insulation only | Sees only insulation workers, schedules, timesheets |
| Sheet Metal Foreman | Sheet Metal only | Sees only sheet metal workers |
| Operations Manager | All Departments | Sees workers across all departments |
Common Role Templates
Admin (Full Access)
All permissions enabled across all domains. Use for company owners, office managers, and IT administrators.
Project Manager
| Category | Access |
|---|
| Operations | Full CRUD |
| Scheduling | View + Create |
| Finance | View (no delete) |
| CRM | View + Create |
| Reports | Full access |
| Settings | View only |
Field Supervisor / Foreman
| Category | Access |
|---|
| Operations | View + Create notes |
| Scheduling | View only |
| Timesheets | Bulk entry + view |
| Forms | Submit + view |
| Mobile | Full mobile access |
| Finance | No access |
| Settings | No access |
Field Worker
| Category | Access |
|---|
| Mobile Schedule | View only |
| Mobile Timesheets | Submit own |
| Mobile Forms | Submit assigned forms |
| Mobile Notes | Create notes |
| Desktop | No access (mobile-only role) |
Best Practices
- Start from a built-in role — Duplicate Admin, Field Supervisor, or Field Worker and adjust.
- Use department scoping — Don't give everyone "All Departments" access.
- Audit regularly — Review the Active Permissions view periodically.
- Test with a real user — After configuring, log in as a user with that role to verify the experience.
Related Pages