Skip to main content

Overview

Beils Dashboard implements a role-based access control (RBAC) system to secure features and data based on user roles. This ensures that users only have access to the features they need for their job responsibilities.

Role Structure

The system uses a simple two-tier role hierarchy defined in the Prisma schema: 
enum Role {
  ADMIN
  USER
}
All user accounts must have one of these roles assigned.

Administrator (ADMIN)

The ADMIN role has unrestricted access to all system features and data.

Permissions

  • Create new user accounts
  • Edit any user account
  • Delete user accounts
  • Toggle user status (activate/deactivate)
  • View all users in the system
  • Assign roles to users
  • View all clients
  • Create and edit client records
  • Delete clients
  • Access client consents and questionnaires
  • Manage client revocations
  • Manage products, services, and packs
  • Create and edit categories, subcategories, and brands
  • Manage tags for products
  • Update pricing and tax rates
  • Control inventory levels
  • Process all sales transactions
  • Manage shopping carts
  • Handle payments and refunds
  • Override prices if needed
  • View all transaction history
  • Create and manage coupons
  • Configure bonus programs
  • Issue and manage gift cards
  • View marketing performance metrics
  • View all financial data
  • Manage client debts
  • Generate financial reports
  • Access payment history
  • View all bookings across all staff
  • Create appointments for any client
  • Assign appointments to staff members
  • Cancel or reschedule any booking
  • Access all reports and dashboards
  • View sales analytics
  • Generate custom reports
  • Export data for analysis
  • Configure system settings
  • Manage business hours and preferences
  • Configure tax rates
  • Set up payment methods
  • Access audit logs

Use Cases

Business Owner

Full oversight of business operations, financial data, and strategic decisions

Manager

Supervise staff, manage inventory, handle administrative tasks

Standard User (USER)

The USER role is designed for staff members who need access to daily operational features without administrative capabilities.

Permissions

✅ View all clients ✅ Create new client records ✅ Edit client information ❌ Delete clients ✅ Manage client consents and questionnaires
✅ View products, services, and packs ✅ Search and filter catalog items ❌ Create or edit products (typically restricted) ❌ Delete catalog items ❌ Modify pricing or tax rates
✅ Process sales transactions ✅ Manage shopping carts ✅ Accept payments ✅ View own transaction history ❌ Override prices ❌ Issue refunds without approval
✅ Apply coupons to transactions ✅ Use gift cards for payments ✅ View active promotions ❌ Create or modify marketing campaigns
✅ View all bookings ✅ Create appointments ✅ Manage own assigned appointments ✅ Update appointment status ❌ Cancel appointments assigned to other staff
✅ View basic dashboards ✅ Access personal performance metrics ❌ View financial reports ❌ Export sensitive data
❌ No access to user management ❌ Cannot modify system settings ❌ Cannot access audit logs ❌ Cannot manage other users

Use Cases

Beautician

Book and manage client appointments, update client records

Receptionist

Handle check-ins, process sales, manage the schedule

Sales Staff

Process transactions, apply promotions, manage inventory

Permission Enforcement

Beils Dashboard enforces role-based permissions at multiple levels:

Server-Side Middleware

The authentication middleware (server/middleware/auth.ts) validates all API requests: 
// Protected routes require valid JWT token
const PROTECTED_PREFIX = '/api/'
const PUBLIC_ROUTES = ['/api/auth/login', '/api/hello']

// All other /api/* routes require authentication
1

Token Verification

Extract JWT token from Authorization header or auth_token cookie
2

Token Validation

Verify token signature and expiration using JWT secret
3

User Context

Attach decoded user info (userId, email, role) to request context
4

Status Check

Ensure user status is ON (active)

API Endpoints

While the middleware validates authentication, role-specific authorization should be implemented at the endpoint level: 
// Example: Admin-only endpoint pattern
export default defineEventHandler(async (event) => {
  const user = event.context.user
  
  // Check if user has ADMIN role
  if (user.role !== 'ADMIN') {
    throw createError({
      statusCode: 403,
      statusMessage: 'Forbidden: Admin access required'
    })
  }
  
  // Admin-only logic here
})
Currently, most endpoints do not enforce role-level authorization beyond authentication. You may need to implement additional role checks for sensitive operations.

Client-Side Guards

The frontend uses Vue Router navigation guards and Pinia stores to control UI access: 
// Auth store tracks authenticated user
const authStore = useAuthStore()
const isAuthenticated = authStore.isAuthenticated
const userRole = authStore.user?.role

// Check role before showing admin features
if (userRole === 'ADMIN') {
  // Show admin options
}
Client-side guards are for UX only. Always enforce permissions on the server-side to prevent unauthorized access.

Assigning Roles

Roles are assigned during user creation or can be updated later:

During User Creation

  1. Open the Create User form
  2. Select role from dropdown (defaults to USER)
  3. Save the new user

Updating Existing User Role

  1. Navigate to Users management
  2. Click Edit on the user account
  3. Change the Role field to ADMIN or USER
  4. Click Update
Role changes take effect immediately. The user will have new permissions on their next action or page refresh.

Default Role

When creating users via API without specifying a role: 
role: role || 'USER'  // Defaults to USER if not provided
This follows the principle of least privilege, ensuring new accounts have minimal permissions by default.

JWT Token Structure

Authentication tokens contain the user’s role: 
interface JwtPayload {
  userId: string
  email: string
  role: string  // 'ADMIN' or 'USER'
}

const token = signToken({
  userId: user.user_id,
  email: user.email,
  role: user.role
})
This allows server-side code to check permissions without additional database queries.

Implementing Custom Permissions

If you need more granular permissions beyond ADMIN/USER:

Option 1: Extend Role Enum

Add new roles to the Prisma schema: 
enum Role {
  ADMIN
  MANAGER
  STAFF
  USER
}
Then run prisma migrate to update the database.

Option 2: Permission Flags

Add boolean flags to the User model: 
model User {
  // ... existing fields
  can_delete_clients Boolean @default(false)
  can_issue_refunds  Boolean @default(false)
  can_view_reports   Boolean @default(false)
}

Option 3: Separate Permissions Table

Create a many-to-many relationship: 
model Permission {
  id          String   @id
  name        String
  description String?
  users       User[]
}

model User {
  // ... existing fields
  permissions Permission[]
}
For most beauty centers, the two-tier ADMIN/USER model provides sufficient access control without added complexity.

Security Best Practices

Principle of Least Privilege

Grant users only the minimum permissions needed for their role

Regular Audits

Review user roles quarterly and adjust as job responsibilities change

Separation of Duties

Avoid giving multiple ADMIN accounts when possible

Access Logging

Monitor ADMIN actions for security and compliance

Common Scenarios

Promoting a User to Admin

  1. Verify the user needs full system access
  2. Edit their user account
  3. Change role from USER to ADMIN
  4. Notify the user of their new permissions

Temporarily Restricting Access

Instead of changing roles, toggle the user’s status:
  1. Locate user in user management
  2. Click Toggle Status to set status to OFF
  3. User cannot log in while status is OFF
  4. Re-enable when access should be restored

Handling User Transitions

When staff members change positions:
  1. Review their new job responsibilities
  2. Adjust their role accordingly (ADMIN ↔ USER)
  3. If leaving the company, set status to OFF rather than deleting
  4. This preserves historical data integrity

User Management

Create and manage user accounts

Configuration

Configure authentication settings

Authentication API

API documentation for login and tokens

Data Management

Export and backup user data

Build docs developers (and LLMs) love

Get started for freeTalk to us