Role families
6
Executive, religious, education, finance, governance, community
System roles
17
Per-organization assignments, not global access
Permission keys
25
Capability-based resource.action.scope keys
Sensitive modules
5
Confidential workflows guarded by assignment and audit rules
Permission Foundation
IslamicLLM should use capability-based permissions scoped to the active organization. A user can be an admin at one masjid, a teacher at another, and a parent in a third without those permissions leaking across tenants.
Executive
Tenant setup, settings, billing, user invitations, and organization-wide oversight.
Religious Services
Religious appointments, religious content review, khutbah/class planning, and prayer leadership.
Education and Youth
Madrasah, Kids Corner, registrations, teachers, attendance, progress, and parent communications.
Finance and Assistance
Expenses, reimbursements, payments, tuition, financial aid, and disbursements.
Governance
Membership, Shura elections, board materials, policy approvals, and governance reporting.
Community
Volunteer operations, family portals, member self-service, public intake, and kiosk support.
Role Catalog
The first MVP roles and their default boundaries before custom role builder work begins.
| Role | Family | Access Level | Default Scope | Purpose |
|---|---|---|---|---|
| Owner | Executive | Full control | Organization-wide | Controls organization settings, billing, users, role assignments, and final administrative overrides. |
| Admin | Executive | Operations | Organization-wide | Runs day-to-day workflows across communications, events, facilities, requests, and non-sensitive reporting. |
| Shura Member | Governance | Sensitive assigned | Governance modules | Reviews governance workflows, membership readiness, elections, high-level reporting, and board approvals. |
| Imam | Religious Services | Sensitive assigned | Assigned religious work | Handles religious appointments, religious content review, prayer leadership context, and imam-specific workflows. |
| Religious Leader | Religious Services | Sensitive assigned | Assigned religious work | Supports assigned religious services, appointments, classes, nikah requests, and content review. |
| Education Director | Education and Youth | Operations | Education programs | Oversees registrations, classes, teachers, parent communication, attendance, progress, tuition signals, and curriculum. |
| Teacher | Education and Youth | Sensitive assigned | Assigned classes | Manages assigned classes, attendance, progress notes, homework, and limited parent communication. |
| Youth Director | Education and Youth | Operations | Youth programs | Runs Kids Corner and youth activities, registrations, age-group events, volunteer needs, and parent updates. |
| Finance | Finance and Assistance | Sensitive assigned | Finance records | Manages expenses, reimbursements, deposits, tuition/payment visibility, disbursements, and finance reports. |
| Caseworker | Finance and Assistance | Sensitive assigned | Assigned cases | Views assigned financial aid cases, adds internal notes, requests documents, and prepares review summaries. |
| Assistance Committee | Finance and Assistance | Sensitive assigned | Committee queue | Reviews restricted financial aid applications, participates in committee votes, and sees anonymized reports. |
| Volunteer Coordinator | Community | Operations | Volunteer modules | Manages volunteers, shift assignments, event staffing, reminders, no-shows, and volunteer communications. |
| Volunteer | Community | Portal limited | Own shifts | Views assigned shifts, check-in details, and limited event information needed to serve. |
| Parent | Community | Portal limited | Own household | Views own household, children, registrations, tuition status, attendance alerts, and teacher messages. |
| Member | Community | Portal limited | Own profile | Views own membership status, voting eligibility, payments, public/member resources, and submitted requests. |
| Kiosk User | Community | Portal limited | Create-only intake | Can create public intake requests through the in-masjid kiosk but cannot browse internal records. |
| Viewer | Community | Read only | Approved resources | Reads approved public or internal resources based on invitation, without editing or approval authority. |
Permission Matrix
A first implementation view of what each primary role can do by capability key.
| Permission | Owner | Admin | Imam | Education Director | Finance | Caseworker | Member | Kiosk User |
|---|---|---|---|---|---|---|---|---|
communications.publish.organization | Allow | Allow | Deny | Deny | Deny | Deny | Deny | Deny |
urgent_alerts.send.organization | Allow | Allow | Deny | Deny | Deny | Deny | Deny | Deny |
expenses.approve.organization | Allow | Deny | Deny | Deny | Allow | Deny | Deny | Deny |
financial_aid.view.assigned | Allow | Deny | Deny | Deny | Deny | Allow | Deny | Deny |
financial_aid.vote.committee | Allow | Deny | Deny | Deny | Deny | Deny | Deny | Deny |
madrasah.attendance.update.assigned_class | Allow | Deny | Deny | Allow | Deny | Deny | Deny | Deny |
membership.approve.organization | Allow | Deny | Deny | Deny | Deny | Deny | Deny | Deny |
religious_appointments.notes.update.assigned | Allow | Deny | Allow | Deny | Deny | Deny | Deny | Deny |
assistant.retrieve.internal | Allow | Allow | Allow | Allow | Allow | Deny | Deny | Deny |
documents.view.restricted | Allow | Deny | Deny | Deny | Deny | Deny | Deny | Deny |
Sensitive Module Policies
These rules should be enforced in pages, APIs, and AI retrieval before any real data goes live.
Financial Aid
Only assigned cases are visible. Finance sees disbursement details without unnecessary hardship documents.
Audit events: case.viewed, document.downloaded, vote.submitted, disbursement.recorded
Religious Appointments
Private notes are visible only to assigned religious leaders and explicitly authorized admins.
Audit events: appointment.viewed, private_note.updated
Madrasah and Youth
Teachers see assigned classes. Parents see only their household. Medical and allergy data is tightly limited.
Audit events: student.viewed, attendance.updated, medical_alert.viewed
Governance and Elections
Candidate eligibility, voting rolls, and board materials require explicit governance permissions.
Audit events: membership.status_changed, election.record_viewed
Kiosk Agent
Kiosk users can create requests and applications but cannot browse internal records.
Audit events: kiosk.case_created, kiosk.application_started
AI Retrieval Gates
The assistant must inherit the user's active organization and permissions before retrieval.
Public knowledge
assistant.retrieve.publicWebsite content, public program pages, public forms, general service routing
Blocked for: None after public safety filtering
Internal operations
assistant.retrieve.internalStaff procedures, internal templates, event runbooks, volunteer instructions
Blocked for: Public, kiosk, parent, member, volunteer unless explicitly invited
Restricted records
assistant.retrieve.restrictedGovernance files, sensitive finance docs, restricted school records
Blocked for: Any user without explicit restricted retrieval approval
Confidential case notes
financial_aid.view.assignedFinancial aid documents, religious appointment notes, sensitive personal records
Blocked for: AI retrieval by default unless the exact workflow and assignment permits it
Example Organization Assignments
A user can hold multiple roles in one organization and different roles in another.
Operations Admin
Masjid DemoDaily operations, communications drafts, volunteer staffing, internal knowledge
Restriction: No financial aid case documents
Education Lead
Masjid DemoRegistrations, classes, attendance, parent messages, tuition status
Restriction: No assistance case details, only waiver signal
Weekend Teacher
Masjid DemoAssigned class attendance and progress
Restriction: No other classes, no student billing
Walk-in Kiosk
Masjid DemoCreate-only intake through guided conversation
Restriction: Cannot search member, donor, student, aid, or appointment records
Temporary Overrides
Overrides should be rare, time-boxed, reasoned, and audited. Denies override allows.
| User | Effect | Permission | Reason | Expires |
|---|---|---|---|---|
| Treasurer | allow | financial_aid.disburse.organization | Record an approved one-time assistance payment without accessing full case notes. | After disbursement closes |
| Event Volunteer | deny | documents.view.internal | Volunteer should only see shift-specific instructions for the Eid event. | Event end |
| Guest Khateeb | allow | documents.view.public | Temporary access to public khutbah logistics and parking instructions. | 48 hours |