Overview
This guide covers administrative configuration for the reporting system: permission management, export storage, and operational settings.Permission Model
Four Permission Flags
Grant Types
- User-specific: Grant permissions to a specific user by UUID
- Role-based: Grant permissions to all users with a specific role (org_admin, staff, site_admin)
RLS Enforcement
Permissions are enforced via Row-Level Security using thepf_is_report_owner_or_admin SECURITY DEFINER function. Only the report owner or org admins can manage permissions.
Export & Storage
Storage Bucket
- Bucket:
reports-exports - Path convention:
{organization_id}/{execution_id}/{filename}.{ext} - Org isolation: Storage RLS policies ensure users can only access files within their organization
Signed URLs
- Expiry: 24 hours from generation
- Generated automatically after export
- Users can re-export or find download links in run history
Row Limit
All exports are capped at 10,000 rows (NFR-2). If a report result exceeds this limit, the export button is disabled. Users should apply filters to reduce the result set.Export Formats
Execution Record Updates
After export, thepf_report_executions row is updated:
exported_format— The format used (csv, excel, pdf, json)exported_file_path— Storage path to the exported file
Best Practices
- Least privilege — Grant only the permissions each user/role needs
- Audit exports — Check run history to see who exported what and when
- Storage retention — Exported files persist in storage; consider periodic cleanup
- Row limits — Encourage users to filter reports before exporting large datasets