Platform permissions configuration user guide

Overview

The Shoreline platform controls user access through Permission Types (roles). Each Permission Type is a collection of permissions that determines what users can see and do in the system. This guide helps administrators understand how permissions work together and what access combinations are needed for different tasks.

Understanding Permission Types

What are Permission Types?

Permission Types are pre-configured roles (like "Administrator," "Planner," "Worker") that bundle multiple permissions together. Each user is assigned one Permission Type that defines their access level.

Special Roles

Super Administrator: Has complete access to all features across all companies
Super User: Can access multiple company accounts
View All Sharing: Can see all work packages and shared items without restrictions

Permission Ranking

Permission Types are ranked from most powerful (rank 1) to least powerful (higher numbers). This prevents users from accidentally giving themselves or others more permissions than they should have:

Users can only modify other users with a lower rank than themselves
Users with rank 5 cannot edit users with ranks 1-5, only rank 6 and below
Super Administrators bypass rank restrictions

Permission Categories

1. Work Orders

The work order system requires multiple permissions to work together:

Basic Access:

Access Work Orders: Must be enabled to see the Work Orders menu
Read Work Orders: Required to view any work order information

Creating & Editing:

To create or modify work orders, users need:

Read Work Orders (prerequisite)
Create Work Order (for new work orders)
Update Work Order (to edit existing work orders)
Delete Work Order (to remove work orders)

Advanced Features:

Manage Work Order: Approve/reject completed work orders
Lock Work Order: Prevent further changes to work orders
Dispatch Work Order: Assign work orders to teams for execution
Schedule Work Orders: Change planned start and finish dates
Import Work Order: Bulk import work orders from files

Planning & Scheduling:

To use the Planning Calendar or Gantt Chart, users need:

Access Planner View
Read Planner View
Schedule Work Orders (to drag and adjust dates)

Important Dependencies:

Work orders are always linked to Sites and Assets
Users also need "Read Sites" and "Read Assets" permissions to work with work orders
Without asset/site permissions, work order creation will fail

2. Personnel & Teams

Basic Access:

Access Employees: Required to open the Personnel section
Read Employees: View personnel lists and basic information

Managing Personnel:

Create Employee: Add new personnel to the system
Update Employee: Modify employee information, work schedules, skills
Delete Employee: Remove employees from the system

Sensitive Information:

Personal details like phone numbers and emergency contacts are protected separately:

Read Personal Information: View phone numbers, emergency contacts
Create Personal Information: Add sensitive details when creating employees
Update Personal Information: Modify sensitive employee data

Special Permissions:

Manage Employee Attachments: Upload and delete certificates, training records, and other files
- Note: Employees can always view and upload their own files
Access Personnel and Team: View team planning screens
Import Employee: Bulk import personnel from files
Import Employee Skills: Bulk import certificates and qualifications

User Self-Service: All users can update their own basic profile (name, language preference, avatar) without needing "Update Employee" permission.

3. Sites, Assets & Equipment

The platform organizes physical locations in a hierarchy:

Site → Asset → Sub-Assembly → Component

For Each Level:

Access [Entity]: Opens the menu/section
Read [Entity]: View the list and details
Create [Entity]: Add new items
Update [Entity]: Edit existing items
Delete [Entity]: Remove items
Import [Entity]: Bulk import from files

Hierarchy Requirements:

When creating items at lower levels, users must have read access to parent levels:

Creating Sub-Assemblies requires:

Create Sub-Assembly permission
Read Assets permission (to select parent asset)
Read Sites permission (assets belong to sites)

Creating Components requires:

Create Component permission
Read Sub-Assembly permission (to select parent)
Read Assets permission (sub-assemblies belong to assets)
Read Sites permission (assets belong to sites)

Special Permissions:

Asset Custody: Track who physically possesses equipment
Read Equipment: View inventory and equipment lists
Read Location: Track where equipment is stored

4. Vessels & Transport

Basic Access:

Access Vessels: Opens the Vessels menu
Read Vessels: View vessel information

Managing Vessels:

Create Vessel: Add new vessels/transport
Update Vessel: Modify vessel details
Delete Vessel: Remove vessels
Import Vessel Skills: Bulk import vessel requirements

Additional:

Download Transferlist: Generate crew and equipment transfer lists for vessel planning

5. Reports

Basic Access:

Access Reporting: Opens the Reports section
Read Reporting: View existing reports

Creating & Editing:

Create Reporting: Generate new reports
Update Reporting: Modify draft reports
Delete Reporting: Remove reports
Import Reporting: Bulk import reports

Approval Workflow:

Manage Reporting: Approve or reject submitted reports
Lock Reports: Finalize reports (prevents further changes)
Unlock Reports: Reopen locked reports (requires higher authority)

Report Templates:

Read Reporting Settings: View report templates and configurations
Create Reporting Settings: Add new templates
Update Reporting Settings: Modify templates
Delete Reporting Settings: Remove templates

Dependencies:

Creating reports from work orders requires "Read Work Orders" permission
"Unlock Reports" is more powerful than "Lock Reports"

6. Timesheets

Managing Timesheets:

Manage Timesheets: Create and oversee timesheet records
Lock Timesheets: Finalize timesheets for approval
Unlock Timesheets: Reopen locked timesheets (higher authority required)
Delete Registered Time: Remove individual time entries

Time Registration:

Register Time for Others: Log working hours on behalf of other employees
Manage Register Time For: Configure which employees can register time for whom

Important Notes:

Users can always register their own time
"Register Time for Others" requires the user to be added to another employee's delegation list
Unlocking timesheets requires higher permission than just locking them

7. Checklists (Execution Module)

Basic Operations:

Read Checklist: View checklists and completion status
Create Checklist: Start new checklists from templates
Update Checklist: Fill out checklist items and add comments
Delete Checklist: Remove checklists
QA Checklist: Perform quality assurance approval

Templates:

Checklist templates are managed separately:

Viewing templates requires "Read Checklist" + company feature flag enabled
Templates define the structure that workers fill out during execution

Dependencies:

Checklists are attached to work orders
"Read Work Orders" permission is typically needed to see checklist context

8. Defects

Basic Access:

Access Defect: Opens the Defects section
Read Defect: View reported defects

Managing Defects:

Create Defect: Report new defects
Update Defect: Edit defect details, add notes
Delete Defect: Remove defects
Manage Defect: Approve repairs, close defects

Usage:

Workers report defects during work order execution
Supervisors use "Manage Defect" to review and close resolved issues

9. Company Settings

Basic Access:

Access Company Settings: Opens the Settings menu
Read Company Settings: View configuration (including permission matrix)

Configuration Management:

Create Company Settings: Add new configurations (skills, statuses, types)
Update Company Settings: Modify existing settings
Delete Company Settings: Remove configurations
Import Company Settings: Bulk import configuration data

Permission Management:

All operations on Permission Types require these permissions:

Read Company Settings (to view the permission matrix)
Create Company Settings (to add new Permission Types)
Update Company Settings (to edit Permission Types and change ranks)
Delete Company Settings (to remove unused Permission Types)

Critical Rule: Users can only edit Permission Types with a lower rank than their own. This prevents unauthorized privilege escalation.

10. Inventory & Equipment

Equipment Management:

Read Equipment: View equipment inventory
Create Equipment: Add new equipment items
Update Equipment: Modify equipment details
Delete Equipment: Remove equipment
Import Equipment: Bulk import equipment lists

Location Tracking:

Read Location: View where equipment is stored
Create Location: Define new storage locations
Update Location: Modify location details
Delete Location: Remove locations

Dependencies:

Equipment locations may reference Sites, Bases, or Vessels
Users need read access to parent entities

11. Loadout Planning

Basic Access:

Access Loadout: Opens the Loadout Planning section
Read Loadout: View loadout plans

Managing Loadouts:

Create Loadout: Build new equipment/personnel loadout plans
Update Loadout: Modify loadout details
Delete Loadout: Remove loadout plans

Usage:

Loadouts plan what equipment and personnel go on vessels
Often used alongside vessel scheduling and work order planning

12. Work Packages (Sharing & Access Control)

Basic Access:

Access Work Package: Opens the Work Packages section
Read Work Package: View work package assignments

Managing Work Packages:

Create Work Package: Define new project groups
Update Work Package: Modify work package details
Delete Work Package: Remove work packages
Import Work Package: Bulk import work packages

Sharing Control:

Share Access Work Package: Grant other users access to work packages (makes you a work package administrator)

Special Rules:

Users normally only see data within their assigned work packages
Users with "View All Sharing" permission see everything regardless of work package assignments
Work package administrators can grant others access

13. Dashboard Widgets

Control which dashboard widgets users can see:

Required Widget:

Access Dashboard Status and Overview: Everyone must have this (default landing page)

Optional Widgets:

Access Dashboard Personal Activities: "My Activities" panel
Access Dashboard Site Overview: Site map with status indicators
Access Dashboard Weather: Weather forecast panel
Access Dashboard Components: Component status summary
Access Dashboard Milestones: Milestone tracking
Access Dashboard Work Order Activity: Recent activity log
Access Dashboard Work Order Status: Status distribution chart
Access Dashboard Work Order Summary: Key metrics and statistics

Configuration Tip: Grant dashboard widgets based on job function—planners might see all widgets while workers might only need Personal Activities.

14. Permits to Work

If your company uses the Permits to Work module:

Basic Access:

Access Permit to Work: Opens the Permits section
Read Permit to Work: View existing permits

Managing Permits:

Create Permit to Work: Issue new permits
Update Permit to Work: Modify permit details
Delete Permit to Work: Remove permits
Manage Permit to Work: Authorize and approve permits

Usage:

Used in high-risk environments requiring formal work authorization
"Manage Permit to Work" is typically restricted to safety supervisors

15. Personnel Contracts

If your company uses the Personnel Contracts module:

Basic Access:

Access Personnel Contract: Opens the Contracts section
Read Personnel Contract: View contract details

Managing Contracts:

Create Personnel Contract: Add new contracts
Update Personnel Contract: Modify contract terms
Delete Personnel Contract: Remove contracts
Manage Personnel Contract: Approve and finalize contracts

16. Map Areas

For defining zones on site maps:

Read Map Area: View defined map zones
Create Map Area: Draw new areas on maps
Update Map Area: Modify zone boundaries
Delete Map Area: Remove map areas

17. System Administration

Advanced Permissions:

Export Data: Download system data to files (typically enabled for everyone)
Manage SSO: Configure Single Sign-On authentication
Access Audit Log: View system activity history

Common Permission Scenarios

Scenario 1: Office Planner

A planner who creates and schedules work but doesn't go offshore needs:

Work Orders:

Access Work Orders
Read Work Orders
Create Work Order
Update Work Order
Schedule Work Orders

Planning Tools:

Access Planner View
Read Planner View

Supporting Data:

Access Sites, Read Sites
Read Assets
Access Employees, Read Employees
Read Vessels
Read Equipment

Result: Can plan work and adjust schedules but cannot execute or approve work.

Scenario 2: Offshore Worker

A technician executing work offshore needs:

Work Orders:

Access Work Orders
Read Work Orders
Update Work Order (to update progress)

Execution:

Read Checklist
Update Checklist (to complete tasks)
Create Defect (to report issues)

Time Tracking:

Manage Timesheets (to log their hours)

Supporting Data:

Access Sites, Read Sites
Read Assets

Result: Can execute assigned work, complete checklists, report defects, and log time but cannot plan or schedule.

Scenario 3: Project Supervisor

A supervisor overseeing offshore operations needs:

Work Orders:

Access Work Orders
Read Work Orders
Update Work Order
Manage Work Order (to approve completions)
Lock Work Order (to finalize)

Execution:

Read Checklist
Update Checklist
QA Checklist (quality approval)
Read Defect
Update Defect
Manage Defect (to close out issues)

Time Management:

Manage Timesheets
Lock Timesheets
Register Time for Others

Personnel:

Access Employees
Read Employees
Update Employee (for schedule changes)

Result: Can oversee work execution, approve deliverables, manage the team, and finalize records.

Scenario 4: Administrator

A company administrator managing system configuration needs:

Company Settings:

Access Company Settings
Read Company Settings
Create Company Settings
Update Company Settings
Delete Company Settings

Plus broad read access:

Read Work Orders
Read Employees
Read Sites
Read Assets
Read Vessels
Read Equipment
Read Reporting

Result: Can configure the system, manage permission types, but might not perform day-to-day operational tasks.

Setting Up Permission Types

Best Practices:

Start with Gateway Permissions
- Always enable "Access [Module]" before specific operations
- Example: Enable "Access Work Orders" before "Read Work Orders"
Read Before Write
- Grant "Read" permissions before "Create/Update/Delete"
- Example: "Read Employees" before "Update Employee"
Consider the Hierarchy
- If users create sub-assemblies, they need to read assets and sites
- If users create work orders, they need to read sites and assets
Set Appropriate Ranks
- Higher authority = Lower rank number
- Ensure supervisors have lower ranks than workers
- Leave gaps in numbering (1, 10, 20, 30...) for future additions
Test Permission Types
- Create a test user with the new Permission Type
- Verify they can complete their intended tasks
- Check that restricted features are properly hidden

Troubleshooting Access Issues

"User cannot see [Feature]"

Check in order:

✓ Is the gateway permission enabled? (Access [Module])
✓ Is the read permission enabled? (Read [Module])
✓ Is the feature flag enabled for your company? (Check Company Settings)
✓ If in a work package: Is the user assigned to the correct work package?

"User cannot create [Item]"

Check:

✓ Does the user have "Create [Item]" permission?
✓ Does the user have "Read" access to parent entities?
- Example: Creating work orders requires reading sites and assets
✓ Are all required fields filled in correctly?

"User cannot edit another user"

Check:

✓ Does the editing user have "Update Employee" permission?
✓ Is the editing user's Permission Type rank lower (more powerful) than the target user's rank?
✓ Is the editing user a Super Administrator?

"Permission Type cannot be deleted"

Reason: Users are still assigned to that Permission Type

Solution:

Go to Personnel list
Find all users with that Permission Type
Reassign them to a different Permission Type
Then delete the unused Permission Type

Understanding "View All Sharing"

The "View All Sharing" flag is a special setting that bypasses work package restrictions:

Normal users:

Only see work orders, assets, and data in their assigned work packages
Must be granted access to each work package

Users with "View All Sharing" enabled:

See ALL data regardless of work package assignments
Useful for managers, auditors, and coordinators who need full visibility

When to use:

Project Managers overseeing multiple work packages
Operations Coordinators who schedule across all projects
Administrators who need to troubleshoot across the system

When NOT to use:

Contractors who should only see their assigned work
Workers limited to specific projects
External stakeholders with limited scope

Key Reminders

Permission Types are per company - Each company has its own set of Permission Types
Users have ONE Permission Type - You cannot combine multiple Permission Types
Ranks prevent privilege escalation - Lower-ranked users cannot modify higher-ranked users
Some features require both permissions AND feature flags - Check Company Settings
Self-service is always allowed - Users can update their own basic profile
Super Administrators bypass all restrictions - Use this role carefully
Dashboard Status is required - All users must have "Access Dashboard Status and Overview"
Export Data defaults to ON - Most users can export their data