Documentation Index
Fetch the complete documentation index at: https://docs.encoreos.io/llms.txt
Use this file to discover all available pages before exploring further.
Version: 1.0.0
Date: 2026-01-12
Status: Active
Overview
This document defines the standard pattern and conventions for permission keys used throughout the Encore Health OS platform. Permission keys control access to features, entities, and actions within the system.
Standard Pattern
{module}.{entity}.{action}
Components
- Module (required): The module identifier (e.g.,
hr, fa, rh, fw, it, gr, fm, lo, pf)
- Entity (required): The entity or feature being accessed (e.g.,
employees, bills, residents, forms, assets)
- Action (required): The action verb describing the permission (e.g.,
view, create, edit, manage, admin)
Examples
hr.employees.view # View employees
hr.employees.create # Create new employees
hr.employees.edit # Edit existing employees
fa.bills.approve # Approve bills
rh.residents.manage # Full CRUD on residents
fw.forms.admin # Full control including settings
it.tickets.view # View IT tickets
Action Verb Definitions
View Permissions
| Action | Description | Use Case |
|---|
.view | Read-only access to view entity | Viewing list or detail pages |
.list | Access to list view (subset of view) | When list access differs from detail access |
.view is preferred over .list unless there’s a specific need to distinguish list vs. detail access.
Create/Edit Permissions
| Action | Description | Use Case |
|---|
.create | Create new records | Creating new entities |
.edit | Edit existing records | Editing existing entities |
.delete | Delete records | Deleting entities (rare, usually part of manage) |
Manage Permissions
| Action | Description | Use Case |
|---|
.manage | Full CRUD operations (create, read, update, delete) | Preferred over separate create/edit/delete permissions for most entities |
.manage for most entities unless there’s a specific business need to separate create/edit/delete permissions.
Administrative Permissions
| Action | Description | Use Case |
|---|
.admin | Full control including settings, configuration, and administrative functions | Module settings, configuration, advanced features |
.admin for:
- Module-level settings
- Configuration pages
- Administrative functions
- Advanced features requiring elevated privileges
Workflow Permissions
| Action | Description | Use Case |
|---|
.approve | Approval workflow access | Approving requests, workflows, transactions |
.reports | Report generation access | Generating and viewing reports |
Specialized Permissions
| Action | Description | Use Case |
|---|
.cab | Change Advisory Board access | IT change management CAB review |
.manage | Template/configuration management | Managing templates, configurations |
Module-Specific Examples
HR Module
hr.employees.view # View employees
hr.employees.create # Create new employees
hr.employees.edit # Edit existing employees
hr.employees.manage # Full CRUD on employees
hr.credentials.view # View credentials
hr.credentials.manage # Manage credentials (CRUD)
hr.credentials.admin # Credential types and requirements configuration
hr.performance.view # View performance data
hr.performance.manage # Manage performance reviews
hr.performance.admin # Performance settings and configuration
hr.payroll.view # View payroll data
hr.payroll.admin # Payroll runs and settings
hr.leave.view # View leave data
hr.leave.manage # Manage leave policies
hr.timesheets.view # View timesheets
hr.timesheets.approve # Approve timesheets
hr.benefits.view # View benefits
hr.benefits.admin # Benefits configuration
Finance & Accounting Module
fa.accounts.view # View chart of accounts
fa.accounts.manage # Manage accounts
fa.bills.view # View bills
fa.bills.create # Create bills
fa.bills.approve # Approve bills
fa.bills.manage # Full CRUD on bills
fa.transactions.view # View transactions
fa.transactions.create # Create transactions
fa.reports.view # View financial reports
fa.reports.generate # Generate reports
fa.admin # Full module access
Recovery Housing Module
rh.residents.view # View residents
rh.residents.create # Create new residents
rh.residents.manage # Full CRUD on residents
rh.beds.view # View bed management
rh.beds.manage # Manage beds
rh.admissions.view # View admissions
rh.admissions.create # Create admissions
rh.compliance.view # View compliance
rh.compliance.manage # Manage compliance requirements
fw.forms.view # View forms
fw.forms.create # Create forms
fw.forms.edit # Edit forms
fw.submissions.view # View submissions
fw.submissions.manage # Manage submissions
fw.automations.view # View automations
fw.automations.manage # Manage automations
fw.approvals.view # View approval inbox
fw.approvals.approve # Approve requests
fw.templates.view # View templates
fw.templates.manage # Manage templates
fw.admin # Full module access
IT Operations Module
it.assets.view # View IT assets
it.assets.create # Create assets
it.assets.edit # Edit assets
it.tickets.view # View tickets
it.tickets.create # Create tickets
it.tickets.manage # Manage tickets
it.licenses.view # View licenses
it.licenses.create # Create licenses
it.licenses.edit # Edit licenses
it.security.view # View security dashboard
it.security.manage # Manage security items
it.changes.view # View change requests
it.changes.create # Create change requests
it.changes.approve # Approve changes
it.changes.cab # CAB review access
it.changes.manage # Manage change templates
it.reports.view # View reports
it.reports.create # Create reports
Permission Key Consistency
Standardization Rules
- Use
.manage for CRUD operations unless there’s a specific business need to separate create/edit/delete
- Use
.admin for settings and configuration, not for regular CRUD operations
- Use
.view for read access, prefer over .list unless distinction is needed
- Use
.approve for approval workflows, not .manage or .admin
- Use module-level
.admin for full module access and settings
Common Inconsistencies to Avoid
❌ Wrong:
hr.credentials.admin # Used for CRUD operations
fa.bills.manage # Used for settings
fw.forms.admin # Used for regular editing
hr.credentials.manage # For CRUD operations
hr.credentials.admin # For credential types/requirements configuration
fa.bills.manage # For CRUD operations
fa.bills.approve # For approval workflow
fw.forms.edit # For editing forms
fw.admin # For module settings
Migration Guide
Standardizing Existing Permissions
When standardizing existing permission keys:
- Audit current usage - Identify all permission keys in use
- Map to standard pattern - Determine correct action verb
- Update code references - Update all code using old permission keys
- Update database - Migrate permission assignments
- Update documentation - Update navigation worksheets and specs
Example Migration
Before:
hr.credentials.admin # Used for both CRUD and configuration
hr.credentials.manage # For CRUD operations
hr.credentials.admin # For configuration only
Navigation Integration
Permission keys are used in navigation to control visibility:
{
label: "Employees",
route: "/hr/employees",
permission: "hr.employees.view", // Required permission
}
See Also
src/platform/permissions/constants.ts - Permission definitionssrc/platform/modules/module-registry.ts - Navigation permission usageAGENTS.md §Permissions System Patterns - Permission system patternsspecs/pf/PF-30-permissions-system-v2.md - Permissions system specification
