RBAC Admins

Overview

RBAC Admins manages users who have access to SSAdmin. This page handles organization-level membership (Better-Auth) and optionally assigns custom RBAC roles with campus scoping in a single unified interface.

This is the primary interface for managing admin users in SSAdmin. For campus-specific assignments, see the dedicated User-Campus-Roles page.

What is an RBAC Admin?

An RBAC Admin is a user who has been granted access to SSAdmin through:

Organization Membership (Required): Base access via Better-Auth
Custom RBAC Assignment (Optional): Additional campus-scoped permissions

This unified approach allows you to set up complete user access in one place.

Viewing RBAC Admins

The RBAC Admins page displays all users with system access:

User name and email
Organization role (Guest, Member, Admin, Superadmin)
Custom RBAC role (if assigned)
Scope type (Campus)
Campus assignments (which campuses they can access)
Active status
Expiration date (if set)
Actions (View, Edit, Delete)

Filtering Options

Organization Role: Filter by Guest, Member, Admin, Superadmin
Custom Role: Filter by specific RBAC role (HQ Admin, Campus Admin, etc.)
Campus: Filter by specific campus assignment
Active Status: Active or inactive assignments
Expired: Show expired vs. current assignments

Understanding the Two-Tier System

Tier 1: Organization Role (Required)

SSAdmin Organization

Every user must have one organization role:

Guest: Read-only access, minimal permissions
Member: Standard user, can view and create data
Admin: Administrative access, can manage data and some settings
Superadmin: Full system control (use sparingly!)

Characteristics:

Organization-wide access
Not scoped to specific campuses
Managed through Better-Auth
Foundation for all access

Tier 2: Custom RBAC (Optional)

Granular, Campus-Specific Permissions

Optionally assign:

Specific role (HQ Admin, Campus Admin, Academic Coordinator, etc.)
Campus scope (which campuses the user can access)
Expiration date (for temporary access)
Assignment reason (audit trail)

When to Use Custom RBAC:

Campus-based responsibilities (Campus Admin)
HQ-level roles requiring cross-campus access
Temporary assignments (contract staff)
Fine-grained access control

Creating an RBAC Admin

Step 1: Open Create Dialog

Navigate to Backend > RBAC Admins
Click "Create RBAC Admin"

Step 2: User Information

Select User* (Required):

Search by name or email
Select from existing users
User must already have an account

If the user doesn't exist, they need to register/sign up first.

Step 3: Organization Role Assignment

Organization (Read-only):

Shows: "SSAdmin"
Cannot be changed (default organization)

Organization Role* (Required):

Choose the base access level:

Role	Access Level	Use For
Guest	Read-only	External reviewers, auditors, limited access
Member	Standard	Staff members with basic system access
Admin	Administrative	Campus admins, department leads, coordinators
Superadmin	Full control	HQ administrators, technical administrators only

Most users should be "Member" (standard access) or "Admin" (managerial access). Reserve "Superadmin" for 1-2 HQ administrators.

Step 4: Custom RBAC Assignment (Optional)

Toggle "Enable Custom RBAC" to add scoped permissions.

When Enabled:

Role* (Required):

Select from available active roles
Shows role name, level, and description
Example: "Campus Admin (Level 60)"

Scope Type* (Required):

Choose how to limit this role's access:

Campus-scoped: Access limited to specific campuses
HQ (Global): Access across all campuses (for HQ Admin roles)

Campus Selection* (Required for campus-scoped):

Select one or more campuses (multi-select)
User will only have access to selected campuses
Leave empty for HQ-level access

Active Status:

Toggle ON: Role is immediately active
Toggle OFF: Suspend access without deleting
Default: ON

Valid Until (Optional):

Set expiration date for temporary access
Leave empty for permanent access
Auto-deactivates on expiration date
Cannot set past dates

Assignment Reason (Optional but Recommended):

Explain why access is being granted
Useful for audits and reviews
Examples:
- "Campus Admin for Lagos campus"
- "Temporary registration staff for Fall 2024"
- "Promoted from coordinator to campus admin"

Always provide an assignment reason. Future administrators will thank you!

Step 5: Save

Click "Create RBAC Admin" to save.

Assignment Examples

Example 1: HQ Administrator

Scenario: Headquarters administrator with full system access

Configuration:

User: John Admin
Organization Role: Superadmin
Custom RBAC: Enabled
- Role: HQ Admin
- Scope Type: HQ (Global)
- Valid Until: (empty - permanent)
- Reason: "HQ Administrator - Full system access"

Result: John has complete access across all campuses and system features.

Example 2: Campus Admin

Scenario: Staff managing a specific campus

Configuration:

User: Jane Smith
Organization Role: Admin
Custom RBAC: Enabled
- Role: Campus Admin
- Scope Type: Campus
- Campus: Lagos Campus
- Valid Until: (empty - permanent)
- Reason: "Campus Administrator for Lagos"

Result: Jane can manage students, courses, and operations for Lagos campus only.

Example 3: Multi-Campus Admin

Scenario: Regional administrator managing multiple campuses

Configuration:

User: Mike Johnson
Organization Role: Admin
Custom RBAC: Enabled
- Role: Campus Admin
- Scope Type: Campus
- Campuses: Lagos Campus, Abuja Campus, Port Harcourt Campus
- Valid Until: (empty - permanent)
- Reason: "Regional Admin for Southern Region"

Result: Mike can manage all operations for three campuses.

Example 4: Temporary Staff

Scenario: Contract staff helping with student registration

Configuration:

User: Sarah Temp
Organization Role: Member
Custom RBAC: Enabled
- Role: Registration Assistant
- Scope Type: Campus
- Campus: Lagos Campus
- Valid Until: 2024-12-31
- Reason: "Contract staff for Fall 2024 registration period"

Result: Sarah has registration access for Lagos campus until December 31, 2024.

Editing RBAC Admins

Find the user in the table
Click Edit button
Update any fields:
- Change organization role
- Enable/disable custom RBAC
- Change role or campus scope
- Update expiration date
- Modify assignment reason
Click "Update" to save

Changes to organization role or custom RBAC affect user access immediately. Notify the user before making changes.

Viewing Admin Details

Click View to see complete information:

Full user details
Organization membership
Custom RBAC configuration
All assigned campuses
Assignment history
Related activity (if available)

Removing Access

Temporary Suspension

Deactivate (Recommended):

Edit the admin
Toggle Active Status to OFF
Save

Benefits:

Preserves assignment record
Can be reactivated later
Maintains audit trail

Permanent Removal

Delete:

Click Delete button
Confirm deletion

Consequences:

Completely removes assignment
User loses all access
Cannot be undone
Historical data may be affected

Use deactivation for temporary situations (leave, suspension). Use deletion only for permanent removal.

Relationship with User-Campus-Roles

RBAC Admins (This Page)

Purpose: Unified interface for complete user setup

Use When:

Adding new users to the system
Setting up complete access in one place
Managing organization membership
Assigning campus-scoped roles during onboarding

User-Campus-Roles

Purpose: Dedicated campus-specific role management

Use When:

Managing multiple campus assignments for a user
Focus is on campus-based access control
Bulk campus role assignments

Learn more

You can use RBAC Admins for complete setup, OR use User-Campus-Roles for managing specific campus assignments. Both approaches work!

Best Practices

Organization Role Selection

Default to Member: Most staff should be Members
Admin for Campus Leads: Campus administrators and managers
Limit Superadmin: Only 1-2 HQ administrators
Guest for External: Auditors, reviewers, read-only access

Custom RBAC Strategy

Use When Needed: Not every user needs custom RBAC
Start Simple: Add scoping only when required
Document Reasons: Always explain assignments
Set Expirations: For temporary staff and contractors

Security

Principle of Least Privilege: Minimal necessary access
Regular Audits: Monthly review of RBAC admins
Remove Inactive: Delete or deactivate unused accounts
Track Changes: Maintain assignment reason history

Common Questions

Q: What's the difference between HQ Admin and Campus Admin?

A: HQ Admin has access across all campuses and system-wide settings. Campus Admin is limited to specific assigned campuses only.

Q: Can I assign a user to multiple campuses?

A: Yes! Use the multi-select campus field to assign a user to multiple campuses with one role.

Q: What happens when custom RBAC expires?

A: The user keeps their organization role but loses the campus-scoped permissions. They revert to base organization access level.

Q: Can I skip organization role and only assign custom RBAC?

A: No, organization role is required. Custom RBAC is always additional on top of organization membership.

Q: Should every user have custom RBAC enabled?

A: No. Simple users who don't need campus-specific restrictions can just have an organization role. Custom RBAC is for users who need scoped access.

RBAC Overview - Understand the complete access control system
User-Campus-Roles - Dedicated campus role assignments
Roles Management - Available roles to assign
Permissions Management - What permissions roles have
Role-Permissions - How permissions are linked to roles

RBAC Admins

On this page