Skip to main content
Athena ERP uses a role-based permission system designed specifically for Colombian educational institutions. Each role has carefully defined permissions that align with real-world responsibilities in schools.

Available Roles

Rector

Full administrative control over the institution

Coordinator

Student affairs, discipline, and academic oversight

Secretary

Enrollment management and administrative communications

Teacher

Grades, attendance, and classroom management

Student

Access to personal academic information

How Permissions Work

Permissions in Athena are defined in code and validated on every API request. This ensures:
  • Predictable access control - Permissions are consistent across all schools
  • Easy to audit - All permissions are visible in the codebase
  • Multi-role support - Users can have multiple roles (e.g., Rector + Teacher)

Permission Categories

Control what data users can view:
  • read:all - Access to all school data (Rector)
  • read:students - Student profiles and records
  • read:grades - Academic performance data
  • read:attendance - Attendance records
  • read:own_students - Only students in assigned classes
  • read:own_data - Personal information only

Multi-Role Users

Users can be assigned multiple roles to reflect their actual responsibilities. For example:
  • A Rector who also teaches can have both rector and teacher roles
  • A Coordinator who handles enrollment can have coordinator and secretary roles
When a user has multiple roles, they gain the union of all permissions from those roles.
If any of a user’s roles grants a permission, they can perform that action.

Role Assignment

Roles are assigned by users with the manage:users permission (Rector or Superadmin). The assignment is stored in the user’s JWT token and validated on every request.
1

User Creation

When creating a new user, select one or more roles based on their responsibilities.
2

Token Generation

The selected roles are embedded in the user’s authentication token.
3

Permission Check

Every API request validates the user’s roles against required permissions.
4

Access Decision

Access is granted if any role provides the needed permission.

Security & Compliance

Tenant Isolation

All permissions are scoped to a single school (tenant). Users can only access data from their assigned institution, even if they have high-level permissions.

Audit Trail

Actions performed by Rector and Coordinator roles are logged to comply with Colombian data protection regulations (Ley 1581/2012).
The audit log tracks who accessed or modified sensitive student data, including document numbers and personal information.

Next Steps

Explore Role Details

Click any role card above to see specific permissions and use cases

User Management

Learn how to create and manage users

Build docs developers (and LLMs) love

Get started for freeTalk to us