Setting Permissions

AI-School security works based on roles with permissions.

Accounts and Roles

Accounts are automatically created after a successful first login attempt. During account creation, tokens are added to the server:

• student (yes/no): set to "yes" if the email address matches an email address on the student list
• staff (yes/no): set to "yes" if the email address matches an email address on the staff list
• admin (yes/no): always set to "no" when the account is first created
• board admin (yes/no): always set to "no" when the account is first created
• super admin (yes/no): always set to "no" when the account is first created

Changing Roles

An admin, board admin, or super admin can assign roles, if this admin role has permission to assign the role.

For example, a staff member can receive the admin role if the board admin or super admin assigns this role. However, an admin can never assign the board admin or super admin role.

A role change is accompanied by assigning new tokens on the server.

Permission Roles

In the admin section, the super admin or board admin can adjust permissions per role.

An additional role is visible here: that of guest. These are permissions assigned to non-logged-in users.

Non-logged-in users must at least be able to read the basic information of the environments, otherwise no choice can be made on the login screen.

Be very cautious about assigning additional permissions to this role!

Collections

Permissions are given per collection. A collection is a set of similar data. For example, there is a "Schools" collection and a "Chats" collection.

Setting Permissions on the Default Database

Only super admins can set permissions on the default database.

Setting Permissions on the Tenant Database

After selecting a role, the administrator can adjust permissions per collection on the tenant database.

Read Permissions

Read permissions concern the ability to read data from the database.

The rights are incrementally configurable:

• Single record: the user must know the unique UUID of the record

• Own records: only records created by the user themselves

• Shared records: records shared with the user

• Controlled records: records under the control of the teacher, for example, chats created during a lesson or related to an assistant

• Tenant records: all records of a tenant on AI-School

• All records: all records of AI-School

Since the database structure is set up so that each tenant (customer) of AI-School has their own database, the "Tenant records" setting is disabled when setting permissions on tenant databases.

View Permissions

Here the administrator can set whether the relevant role gets to see the tile in the admin section.

Create, Update, Delete Permissions

These permissions are for creating, updating, or deleting records and are configurable per collection. The rights are incrementally configurable:

• Own records: only records created by the user themselves

• Tenant records: all records of a tenant on AI-School

• All records: all records of AI-School

Since the database structure is set up so that each tenant (customer) of AI-School has their own database, the "Tenant records" setting is disabled when setting permissions on tenant databases.