Skip to main content

Overview

This guide covers administrative configuration for the reporting system: permission management, export storage, and operational settings.

Permission Model

Four Permission Flags

Grant Types

  • User-specific: Grant permissions to a specific user by UUID
  • Role-based: Grant permissions to all users with a specific role (org_admin, staff, site_admin)

RLS Enforcement

Permissions are enforced via Row-Level Security using the pf_is_report_owner_or_admin SECURITY DEFINER function. Only the report owner or org admins can manage permissions.

Export & Storage

Storage Bucket

  • Bucket: reports-exports
  • Path convention: {organization_id}/{execution_id}/{filename}.{ext}
  • Org isolation: Storage RLS policies ensure users can only access files within their organization

Signed URLs

  • Expiry: 24 hours from generation
  • Generated automatically after export
  • Users can re-export or find download links in run history

Row Limit

All exports are capped at 10,000 rows (NFR-2). If a report result exceeds this limit, the export button is disabled. Users should apply filters to reduce the result set.

Export Formats

Execution Record Updates

After export, the pf_report_executions row is updated:
  • exported_format — The format used (csv, excel, pdf, json)
  • exported_file_path — Storage path to the exported file

Best Practices

  1. Least privilege — Grant only the permissions each user/role needs
  2. Audit exports — Check run history to see who exported what and when
  3. Storage retention — Exported files persist in storage; consider periodic cleanup
  4. Row limits — Encourage users to filter reports before exporting large datasets

Troubleshooting

References