Skip to content

Manage Permissions

How to manage roles and permissions in the LysisAI Platform.

Prerequisites

Before you begin

  • You are logged in as Administrator
  • You understand the different roles in the system
  • Only administrators can manage permissions

What are Permissions?

Permissions control who can do what in the LysisAI Platform:

  • Role-based Access - Each user has a role with defined permissions
  • Feature Control - Determines which features are visible
  • Data Isolation - Ensures users only see their own data
  • Secure Separation - Tenants have no access to admin functions

Permissions Overview

Role Overview

Standard Roles

The LysisAI Platform has three predefined roles:

Role Target Group Main Tasks
Administrator IT Managers, Management Complete system administration
Employee Tax Consultants, Accountants Client support, document management
Tenant Customers, Clients Document upload, communication

Role Overview

Administrator Permissions

What Can an Administrator Do?

Administrators have full access to all functions:

User Management

  • ✅ Create, edit, delete users
  • ✅ Assign and change roles
  • ✅ Reset passwords
  • ✅ Activate/deactivate users

Tenant Management

  • ✅ Create, edit, delete tenants
  • ✅ Assign employees
  • ✅ View all tenant data
  • ✅ Change tenant status

System Settings

  • ✅ Configure system parameters
  • ✅ Manage email settings
  • ✅ Change plugin settings
  • ✅ Activate maintenance mode
  • ✅ Create and restore backups
  • ✅ View audit logs

Document Management

  • ✅ See all documents of all tenants
  • ✅ Upload/download documents
  • ✅ Manage categories
  • ✅ Delete documents

Communication

  • ✅ View all conversations
  • ✅ Communicate with all users
  • ✅ Manage notification settings

Administrator Responsibility

With great power comes great responsibility. Administrators should handle sensitive data carefully and document changes.

Employee Permissions

What Can an Employee Do?

Employees have restricted access to assigned tenants:

Tenant Access

  • ✅ See only assigned tenants
  • ✅ View documents of assigned tenants
  • ✅ Upload documents for tenants
  • ✅ Communicate with assigned tenants
  • ❌ Create new tenants
  • ❌ See other tenants

Document Management

  • ✅ Manage documents of assigned tenants
  • ✅ Upload documents (for tenants)
  • ✅ Download documents
  • ✅ Organize documents into categories
  • ❌ Create/delete categories (assign only)

Communication

  • ✅ Conversations with assigned tenants
  • ✅ Send and receive messages
  • ✅ Share files in conversations
  • ❌ See conversations of other employees

System

  • ✅ Edit own profile
  • ✅ Change password
  • ✅ Customize notification settings
  • ❌ Change system settings
  • ❌ Manage other users
  • ❌ View audit logs

Employee View

Tenant Assignment

Employees only see tenants that have been explicitly assigned to them by an administrator.

Tenant Permissions

What Can a Tenant Do?

Tenants have very restricted access only to their own data:

Own Documents

  • ✅ Upload own documents
  • ✅ Download own documents
  • ✅ View own documents
  • ❌ See documents of other tenants
  • ❌ Delete documents (only admin/employee)

Communication

  • ✅ Start conversations with assigned employees
  • ✅ Reply to messages
  • ✅ Attach files in conversations
  • ❌ Communicate with other tenants
  • ❌ Communicate with non-assigned employees

Profile

  • ✅ View own profile
  • ✅ Change password
  • ✅ Customize notification settings
  • ❌ Change own email address (only admin)
  • ❌ Change role

System

  • ❌ No system settings visible
  • ❌ No user management
  • ❌ No tenant management
  • ❌ No admin functions

Tenant View

Data Protection

Tenants see exclusively their own data. Isolation between tenants is guaranteed.

Assign Permissions

Change a User's Role

How to change the role of an existing user:

  1. Go to Administration → Users
  2. Click the Edit icon next to the user
  3. Select the new Role from the dropdown
  4. Click Save

Change Role

Role Change

The role takes effect immediately. The user is automatically logged out and must log in again.

Assign Tenants (for Employees)

How to assign tenants to an employee:

Via User Management:

  1. Open the employee for editing
  2. Select Assign Tenants
  3. Select tenants from the list
  4. Click Save

Via Tenant Management:

  1. Open the tenant for editing
  2. Select Add Employee
  3. Select employees from the list
  4. Click Save

Assign Tenants

Bidirectional Assignment

The assignment works both ways. You can assign either from the employee or from the tenant.

Permission Matrix

Detailed Overview of All Permissions

Function Administrator Employee Tenant
User Management
Create users
Edit users
Delete users
Assign roles
Tenant Management
Create tenants
Edit tenants
Delete tenants
Assign employees
See own tenants ✅ (assigned)
Document Management
See all documents
See tenant documents ✅ (assigned) ✅ (own)
Upload documents ✅ (for tenants) ✅ (own)
Download documents ✅ (assigned) ✅ (own)
Delete documents ✅ (assigned)
Manage categories
Communication
See all conversations
Start conversations ✅ (with tenants) ✅ (with employees)
Send messages
Attach files
System Settings
System settings
Email settings
Plugin settings
Maintenance mode
Backup/Restore
Audit logs
Profile
Edit own profile
Change password
Change email ✅ (all)
Notifications

Best Practices

  1. Minimal Rights:
  2. Grant only the minimum necessary permissions
  3. Apply "need-to-know" principle

  4. Review regularly

  5. Administrator Roles:

  6. Maximum 2-3 administrators per organization
  7. Log activities (audit log)

  8. Enable two-factor authentication (if available)

  9. Employee Assignment:

  10. Define clear areas of responsibility
  11. Don't assign all tenants to all employees

  12. Document backup arrangements

  13. Tenant Isolation:

  14. Ensure tenants cannot see each other
  15. No sensitive information in shared areas
  16. Follow data protection guidelines

Security Policies

Password Policies

Configure secure password requirements:

  1. Minimum Length: 8-12 characters (recommended: 12+)
  2. Complexity:
  3. Upper and lowercase letters
  4. At least one number

  5. At least one special character

  6. Expiration: 90 days (optional)

  7. Reuse: Last 5 passwords not allowed

Password Policies

Session Security

Configure session parameters:

  1. Session Timeout:
  2. Inactivity timeout: 30 minutes (recommended)

  3. Maximum session duration: 8 hours

  4. Multiple Login:

  5. Allow (default)

  6. Deny (higher security)

  7. Auto-Logout:

  8. On inactivity
  9. On browser close (optional)

Audit Logging

Log Permission Changes

All permission changes are automatically logged in the audit log:

What is logged: - Role changes (who, when, from/to) - Tenant assignments (who was assigned to whom) - Permission violations (attempted unauthorized access) - Admin actions (critical system changes)

View: 1. Go to Settings → Audit Log 2. Filter by Permissions as event type 3. View all changes chronologically

Audit Log

GDPR Compliance

IP addresses are stored anonymized (last octet = .0)

Common Scenarios

Scenario 1: New Employee

  1. Create user with employee role
  2. Assign tenants they should manage
  3. Verify welcome email
  4. Ensure onboarding

Scenario 2: Employee Changes Department

  1. Remove old tenant assignments
  2. Assign new tenants
  3. Inform employee
  4. Document handover

Scenario 3: Tenant Cancels

  1. Deactivate tenant (don't delete immediately!)
  2. Check retention periods (tax documents!)
  3. After expiration: Delete tenant and data
  4. Document GDPR-compliant

Scenario 4: Compromised Account

  1. Immediately deactivate user
  2. Reset password
  3. Check audit log (what was done?)
  4. Document security incident
  5. Inform user and reactivate

Troubleshooting

Problem Solution
Employee cannot see tenant Check tenant assignment
User cannot use function Check role and permissions
"Access denied" error User lacks required permission
Role change not working User must log in again
Tenant sees admin menu CRITICAL - Check and correct role!

Extended Permissions (Future)

Planned Features

The following features are planned for future versions:

  • Custom Roles - Create custom roles with individual permissions
  • Fine-grained Permissions - Granular control of individual functions
  • Temporary Access - Grant time-limited access
  • Approval Workflows - Approval processes for critical actions
  • Two-Factor Authentication - Additional security layer