Skip to main content

Overview

APTIV Scrap Control implements a 4-tier role-based access control (RBAC) system to ensure users only access features appropriate for their responsibilities.

Role Hierarchy

Administrator

Full system access with user and permission management

Quality (Calidad)

Quality control with reporting and catalog management

Supervisor

Production line supervision with area-level reporting

Operator (Operador)

Basic scrap registration and record viewing

Permission Matrix

The following table shows the complete permission matrix for all roles:
PermissionAdminQualitySupervisorOperator
Register scrap
View own records
View area reports
View global reports
Edit today’s records
Delete records
Manage catalogs
Manage users
Configure permissions
Manage tolerances
Export backups
View audit logs
Import CSV
Export CSV
Permissions are configurable from the administration panel. The matrix above shows default settings.

Permission Types

TypeScript Definition

Permissions are defined as a union type in the system:
types.ts
export type PermissionKey =
  | 'register_scrap'
  | 'view_own_records'
  | 'view_area_reports'
  | 'view_global_reports'
  | 'edit_today_records'
  | 'delete_records'
  | 'manage_catalogs'
  | 'manage_users'
  | 'manage_permissions'
  | 'manage_tolerances'
  | 'export_backup'
  | 'view_audit'
  | 'import_catalogs'
  | 'export_catalogs';

Detailed Permission Descriptions

Allows users to create new scrap records. All roles have this permission as it’s the primary function of the system.Granted to: Admin, Quality, Supervisor, Operator
View scrap records created by the logged-in user. Essential for all users to verify their entries.Granted to: Admin, Quality, Supervisor, Operator
Access reports filtered to the user’s assigned production area. Required for line supervision.Granted to: Admin, Quality, Supervisor
Access organization-wide reports across all areas and production lines. Required for quality analysis.Granted to: Admin, Quality
Modify scrap entries created on the current day. Prevents historical data manipulation.Granted to: Admin, Quality, Supervisor
Soft-delete scrap entries (marks as ELIMINADO=1). Required for correcting errors.Granted to: Admin, Quality
Create, update, and delete catalog entries (parts, defects, areas, shifts, lines).Granted to: Admin, Quality
Create user accounts, reset passwords, assign roles, and deactivate users.Granted to: Admin only
Modify the permission matrix and create custom roles. Highest-level administrative function.Granted to: Admin only
Set acceptable scrap thresholds by area, chain, line, or category.Granted to: Admin, Quality
Download complete database backups in JSON or SQL format.Granted to: Admin only
Access the audit trail showing all system changes with user attribution.Granted to: Admin, Quality
Bulk import catalog entries from CSV files.Granted to: Admin, Quality
Download catalog data and reports in CSV format.Granted to: Admin, Quality, Supervisor

Role Data Structure

types.ts
export interface Rol {
  id: number;
  nombre: string;
  descripcion: string;
  activo: number;
  es_sistema: number;  // 1 = system role (cannot be deleted)
  permisos: string;    // JSON array of PermissionKey values
}

Database Schema

schema.sql
CREATE TABLE IF NOT EXISTS roles (
  id int AUTO_INCREMENT PRIMARY KEY,
  nombre varchar(50) NOT NULL,
  descripcion varchar(200) DEFAULT '',
  activo TINYINT DEFAULT 1,
  es_sistema TINYINT DEFAULT 0,
  permisos TEXT DEFAULT NULL
);

CREATE TABLE IF NOT EXISTS permisos_rol (
  id int AUTO_INCREMENT PRIMARY KEY,
  rol_id int NOT NULL,
  permiso varchar(50) NOT NULL,
  FOREIGN KEY (rol_id) REFERENCES roles(id) ON DELETE CASCADE
);

Permission Checking

Frontend Permission Check

The usePermissions hook provides a can() function to check permissions:
useStore.ts
export const usePermissions = () => {
  const state = useAppState();
  const { currentUser } = state;
  
  const can = (permission: PermissionKey): boolean => {
    if (!currentUser) return false;
    
    // Parse permissions from user.permisos JSON string
    try {
      const permissions = JSON.parse(currentUser.permisos || '[]');
      return permissions.includes(permission);
    } catch {
      return false;
    }
  };
  
  return { can };
};

Usage Example

import { usePermissions } from './useStore';

function MyComponent() {
  const { can } = usePermissions();
  
  return (
    <div>
      {can('manage_users') && (
        <button>Manage Users</button>
      )}
      
      {can('view_global_reports') && (
        <Link to="/reports">Global Reports</Link>
      )}
    </div>
  );
}

Configuring Permissions

1

Access Permissions Page

Navigate to Permisos in the sidebar (Admin only).
2

Select Role

Choose the role you want to modify from the role list.
3

Toggle Permissions

Check or uncheck permissions for the selected role. Changes apply immediately.
4

Verify Changes

Log in as a user with that role to verify the permission changes.
System Roles: Roles with es_sistema = 1 cannot be deleted. Modifying system role permissions affects all existing users with that role.

Creating Custom Roles

While the system ships with 4 default roles, administrators can create custom roles: 
const newRole: Rol = {
  id: 0,  // Auto-generated
  nombre: "Line Manager",
  descripcion: "Manages specific production line",
  activo: 1,
  es_sistema: 0,  // Custom role (can be deleted)
  permisos: JSON.stringify([
    'register_scrap',
    'view_own_records',
    'view_area_reports',
    'edit_today_records',
    'export_catalogs'
  ])
};

Best Practices

Principle of Least Privilege

Grant users only the permissions they need for their job function

Regular Audits

Review user permissions quarterly to remove unnecessary access

Document Custom Roles

Maintain documentation for any custom roles created

Test Permission Changes

Always test with a non-admin account before rolling out changes

User Management

Creating and managing user accounts

Audit Logs

Tracking permission changes and usage

Build docs developers (and LLMs) love

Get started for freeTalk to us