Skip to main content

Role-Based Access Control (RBAC)

This article explains how roles, permissions, and access levels work in the platform using Role-Based Access Control (RBAC).

Written by Jeroen Pleunis

What is RBAC?

Role-Based Access Control (RBAC) is the way the platform manages who can see and do what.

Instead of giving individual permissions to each user, you assign a role that comes with a predefined set of permissions. This makes access management:

  • More secure – users only see data and features that match their responsibilities.

  • Easier to manage – especially when people join, change roles, or leave.

  • Consistent – the same role always means the same access level.

The RBAC model follows your organisational structure:

  • Partner – your organisation as a partner of the platform provider

  • Customer – customers managed under a partner

  • Environment (EMS Location) – single live EMS locations belonging to a customer


RBAC hierarchy

The RBAC system is organised into three tiers:

  1. Partner level
    Represents partner organisations that work directly with the platform provider.

  2. Customer level
    Represents customers that are managed under a specific partner.

  3. Environment (EMS location) level
    Represents individual EMS locations (live sites) assigned to a customer.

Each level has its own set of roles, designed for typical responsibilities at that level.


Partner-level roles

Partner-level roles apply across all customers under a specific partner.

Partner Admin

  • Full administrative rights across all customers under the partner.

  • Can:

    • Add, remove, and manage users.

    • Assign and change roles.

    • Adjust access rights for any customer or location in the partner scope.

  • Best for: Platform administrators at the partner organisation.

Partner User

  • Full access to all features and data under the partner’s scope.

  • Cannot:

    • Manage users.

    • Manage roles or access rights.

  • Best for: Operational staff who need full access but don’t manage users.

Partner Simulation User

  • Can access and operate simulation-related features within the partner’s scope.

  • Cannot:

    • Create or manage customers.

    • Manage production EMS locations (unless also assigned another role).

  • Best for: Users working in test/simulation environments without touching customer configuration.

Partner Viewer

  • Read-only access to all customers and related data under the partner.

  • Cannot:

    • Change any configuration.

    • Operate EMS locations.

  • Best for: Management, auditors, or stakeholders who only need visibility.

Partner Finance

  • Access to financial and billing information for all customers under the partner.

    • Includes addresses, invoices, and payment details.

  • Cannot:

    • Modify operational settings.

    • Manage users, roles, or EMS operations.

  • Best for: Finance and billing teams at the partner organisation.


Customer-level roles

Customer-level roles apply to one specific customer and all its EMS locations.

Customer Admin

  • Full administrative rights for one customer.

  • Can:

    • Manage all EMS locations under that customer.

    • Add and remove users for that customer.

    • Assign and adjust roles within that customer scope.

  • Best for: Customer-side administrators responsible for their own organisation.

Customer User

  • Full functional access across all locations for a single customer.

  • Cannot:

    • Create, remove, or manage users.

    • Change role assignments.

  • Best for: Operational or technical staff working across all of a customer’s locations.

Customer EMS Viewer

  • Read-only access to all live EMS locations for one customer.

  • Can:

    • View live data and system status.

  • Cannot:

    • Operate or configure EMS locations.

  • Best for: Monitoring-only users at the customer (e.g. observers, management).

Customer EMS Operator

  • Operational access to all live EMS locations for one customer.

  • Can:

    • View live data and status.

    • Start, stop, and adjust operational parameters (where supported).

  • Cannot:

    • Manage users or roles.

  • Best for: Operators managing day-to-day EMS operation for a specific customer.


Environment (EMS location) level roles

Environment-level roles are restricted to a single EMS location.

Environment EMS Viewer

  • Access limited to one EMS location.

  • Can:

    • View live data, trends, and status for that location.

  • Cannot:

    • Control or adjust anything in that location.

  • Best for: Local stakeholders or users who only need visibility for one site.

Environment EMS Operator

  • Access limited to one EMS location.

  • Can:

    • View live data and status for that location.

    • Operate that EMS environment (start/stop/adjust operational parameters, where supported).

  • Cannot:

    • Manage users or roles.

  • Best for: On-site or local operators responsible for a specific location.


Cross-level access and multi-location assignments

Although roles are defined per tier, the RBAC model supports cross-level assignments where needed.

Examples:

  • A user can be assigned Environment EMS Viewer for multiple locations, even if those locations:

    • Belong to different customers, or

    • Sit under different partners (depending on your configuration).

  • A user might be:

    • Customer EMS Operator for one customer, and

    • Environment EMS Viewer for a specific location under another customer.

This flexibility allows:

  • Central teams to monitor or operate distributed EMS operations.

  • External stakeholders (e.g. service providers) to work across multiple customers or locations with controlled access.

Did this answer your question?