Feature: Report Permissions & Export StorageDocumentation Index
Fetch the complete documentation index at: https://docs.encoreos.io/llms.txt
Use this file to discover all available pages before exploring further.
Spec: PF-12 Phase 5 & 6
Last Updated: 2026-03-15
Overview
This guide covers administrative configuration for the reporting system: permission management, export storage, and operational settings.Permission Model
Four Permission Flags
| Flag | Description |
|---|---|
can_view | Read access to report definition and results |
can_run | Execute the report with parameters |
can_edit | Modify report definition and manage permissions |
can_schedule | Create and manage scheduled report runs |
Grant Types
- User-specific: Grant permissions to a specific user by UUID
- Role-based: Grant permissions to all users with a specific role (org_admin, staff, site_admin)
RLS Enforcement
Permissions are enforced via Row-Level Security using thepf_is_report_owner_or_admin SECURITY DEFINER function. Only the report owner or org admins can manage permissions.
Export & Storage
Storage Bucket
- Bucket:
reports-exports - Path convention:
{organization_id}/{execution_id}/{filename}.{ext} - Org isolation: Storage RLS policies ensure users can only access files within their organization
Signed URLs
- Expiry: 24 hours from generation
- Generated automatically after export
- Users can re-export or find download links in run history
Row Limit
All exports are capped at 10,000 rows (NFR-2). If a report result exceeds this limit, the export button is disabled. Users should apply filters to reduce the result set.Export Formats
| Format | Generation | Notes |
|---|---|---|
| CSV | Client-side | UTF-8 with BOM for Excel compatibility |
| JSON | Client-side | Pretty-printed, array of objects |
| Excel | Edge function (export-report) | Uses ExcelJS; styled header row |
Edge function (export-report) | Simple tabular layout |
Execution Record Updates
After export, thepf_report_executions row is updated:
exported_format— The format used (csv, excel, pdf, json)exported_file_path— Storage path to the exported file
Best Practices
- Least privilege — Grant only the permissions each user/role needs
- Audit exports — Check run history to see who exported what and when
- Storage retention — Exported files persist in storage; consider periodic cleanup
- Row limits — Encourage users to filter reports before exporting large datasets
Troubleshooting
| Issue | Solution |
|---|---|
| User cannot export | Verify they have can_run permission on the report |
| Storage upload fails | Check reports-exports bucket exists and RLS policies are correct |
| Edge function errors | Check Edge Function logs |
| Permission changes not reflecting | Permission query has 5-minute stale time; wait or hard refresh |