Home Admin System Usergroups
Documentation
Configuratie - Systeem - Gebruikersgroepen

Managing rights: the recommended approach

Setting up rights and user groups feels complicated or even intimidating to many customers. It doesn’t have to be. With a few choices up front and a fixed working method you keep it clear and secure. This page describes the recommended approach.

Step 1 — Decide what the user needs to do

Start with the question: what kind of user are you creating? Broadly there are two profiles:

  • Operational administrator — works daily with bookings, customers, invoices and planning. Mainly needs rights to view and edit data, not to change the configuration.
  • Configuration administrator — sets up the environment: products/objects, templates and settings. Needs rights on the configuration screens, but does not necessarily do day-to-day operations.

Making this distinction first tells you which side of the rights overview you need — and prevents one group from getting ‘everything’.

Step 2 — Choose a strict or broad setup

Decide deliberately how broad you make a group:

  • Strict (recommended) — only the rights that are truly needed. Safer and clearer.
  • Broad — more rights than strictly necessary. Easier at first, but harder to oversee and riskier.

When in doubt, choose strict. You can always add a missing right later (see step 4).

Step 3 — Create your own groups with a recognisable prefix

Do not modify the standard groups (such as Admin and Demo). Instead, create new groups with a prefix of your own environment, for example DEMO_admin or DEMO_employee. Benefits:

  • You see at a glance that these are your own groups.
  • You keep full control over their contents, independent of future changes to the standard groups.
  • It prevents confusion for other administrators and for support.

Fill these groups with sets of:

  • menu_* rights — determine which screens and menus are visible (for example menu_booking, menu_customer).
  • entity_* rights — determine what a user may do with the data: entity_*_read (view), entity_*_create, entity_*_update and entity_*_delete. For an operational administrator, read + update is often enough; leave out delete on purpose.

Creating a new group and assigning rights is described in How do I create a new user group? and How do I add rights to a user group?

Step 4 — Start small and expand

Start with a small set of rights and add what users actually miss in practice. Do not do it the other way around (start big and then scale down): removing too many rights again is error-prone, you quickly forget what should go, and in the meantime someone has more power than necessary.

The guiding principle: least privilege

The common thread in all the steps above is the security principle of least privilege: give every user and every group exactly the rights needed for the task — no more. This limits the impact of mistakes and misuse. Read more: Principle of least privilege.

Work by ‘least privilege’: grant only the rights that are truly needed. Safer and clearer.

Start small and add missing rights — do not scale down from ‘everything’.

Users
Usergroups
User profiles
Security settings
Anonimise settings
Oauth providers
Import
Webhooks
E-mail setup
i-Reserve User

User

Are you a user of I-Reserve and are you dealing with everyday matters concerning reservations? Then you will probably find the answers to your questions here.
i-Reserve Admin

Admin

Are you responsible for the configuration and implementation of i-Reserve? Then you will find the answers for your tasks in this category.
i-Reserve Developer

Developer

Are you a designer or programmer and are you dealing with the styling and/or development of the frontend? Then take a look around in this category.