Better Permissions Granularity / Enhanced “View Only” Permissions/Role Functionality for Admin Users
It is currently not possible to have a truly “view-only” role option for admin-level users. At the moment, setting role permissions to "View" does not prevent certain actions that contradicts the expectation of “view-only” access. This introduces risk, especially when trying to grant limited access to newer or external users.
For example, an admin role which has only the following assigned permissions:
- View Users (Users)
- View Permits (Parking)
- View Violations (Violations)
- View History Search (System Content)
Despite this, the admin was still able to:
- Add a vehicle to a user profile (however, not view or edit it);
- Assign a decal to a vehicle;
- Click "Edit" on user profiles (though changes are blocked only upon submission, not access);
- Archive users;
- Reserve permits;
- Make payments (but not see receipt);
- Add DNTT;
- etc.
Proposed Enhancements:
- Strict Read-Only Enforcement: Ensure that view permissions completely restrict any data-altering actions (e.g., editing, adding, or assigning records).
- UI Alignment: Hide or disable action buttons like "Edit", "Add Vehicle", or "Assign Decal" for roles that don't have explicit permissions for those actions.
- Granular Permission Categories: Consider breaking out certain permissions (e.g., “Add Vehicle,” “Assign Decal”) into their own toggles rather than tying them to broader edit permissions. This will support more precise role customization.
- Audit-Friendly Option: Introduce a “Read-Only Admin” preset for environments needing oversight access without editing capabilities.
#12259