Overview
Access control in DoorStax is enforced through four layers that work together to ensure users can only access the resources they are authorized for.
Each user is assigned exactly one role
Each role maps to a set of permission strings
Permissions are scoped to owned/assigned resources
Every API route checks permissions before execution
User Roles
Super Admin
SUPER_ADMINFull platform access. Manages all organizations, billing, and system-wide settings.
Permissions
- +All admin permissions
- +Organization management
- +System configuration
- +Billing and subscriptions
- +User provisioning across all orgs
Restrictions
- -None — unrestricted access
Platform Admin
PLATFORM_ADMINManages platform operations, reviews flagged items, and handles support escalations.
Permissions
- +All admin:* permissions
- +View all organizations
- +Manage flagged payments
- +Support escalation access
- +Reporting dashboard
Restrictions
- -Cannot modify billing or system configuration
Landlord / Owner
OWNERProperty owner with full access to their portfolio. Can manage properties, teams, and payouts.
Permissions
- +properties:read, properties:write
- +payments:read, payments:write
- +payouts:read, payouts:write
- +team:read, team:write
- +leases:read, leases:write
- +reports:read
Restrictions
- -Scoped to owned properties only
Property Manager
PROPERTY_MANAGERDay-to-day management of assigned properties. Handles tenants, leases, and maintenance.
Permissions
- +properties:read
- +payments:read, payments:write
- +leases:read, leases:write
- +tenants:read, tenants:write
- +maintenance:read, maintenance:write
Restrictions
- -Cannot manage payouts
- -Cannot modify property ownership
- -Scoped to assigned properties
Accountant / Finance
ACCOUNTANTFinancial oversight with read access to payments, ledger, and payouts. Limited write access.
Permissions
- +payments:read
- +payouts:read
- +ledger:read
- +reports:read
- +reconciliation:read
Restrictions
- -Read-only for most resources
- -Cannot manage tenants or leases
- -Cannot modify properties
Tenant
TENANTTenant with access to their own lease, payment history, and maintenance requests.
Permissions
- +Own lease:read
- +Own payments:read, payments:write (pay rent)
- +maintenance:read, maintenance:write (own unit)
- +profile:read, profile:write
Restrictions
- -Cannot view other tenants
- -Cannot access property-level data
- -Strictly scoped to own unit and lease
Partner
PARTNERExternal integration partner with API access scoped to specific endpoints.
Permissions
- +API access for assigned endpoints
- +Webhook subscriptions
- +Read access to shared resources
Restrictions
- -No UI access
- -Rate limited
- -Scoped to partner agreement
Admin Permissions
Admin-level permissions are prefixed with admin: and are only available to Super Admin and Platform Admin roles.
| Permission | Description |
|---|---|
| admin:overview | Platform overview dashboard |
| admin:payments | View and manage all payments |
| admin:payouts | View and manage all payouts |
| admin:properties | View and manage all properties |
| admin:users | User management across organizations |
| admin:organizations | Organization management |
| admin:reports | Platform-wide reporting |
| admin:settings | System configuration |
Team Permissions
Team-level permissions control access to resources within an organization. These are assigned based on role and further scoped by resource ownership.
| Permission | Description |
|---|---|
| properties:read | View properties |
| properties:write | Create and update properties |
| payments:read | View payment records |
| payments:write | Process and manage payments |
| payouts:read | View payout history |
| payouts:write | Initiate and manage payouts |
| leases:read | View lease agreements |
| leases:write | Create and modify leases |
| tenants:read | View tenant information |
| tenants:write | Manage tenant records |
| team:read | View team members |
| team:write | Invite and manage team members |
| reports:read | Access reports and analytics |
| ledger:read | View ledger entries |
Permission Matrix
Quick reference showing which permissions each role receives.
| Permission | Super | Platform | Owner | PM | Acct | Tenant | Partner |
|---|---|---|---|---|---|---|---|
| admin:* | ✓ | ✓ | — | — | — | — | — |
| properties:read | ✓ | ✓ | ✓ | ✓ | — | — | — |
| properties:write | ✓ | ✓ | ✓ | — | — | — | — |
| payments:read | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | — |
| payments:write | ✓ | ✓ | ✓ | ✓ | — | ✓ | — |
| payouts:read | ✓ | ✓ | ✓ | — | ✓ | — | — |
| payouts:write | ✓ | ✓ | ✓ | — | — | — | — |
| leases:read | ✓ | ✓ | ✓ | ✓ | — | ✓ | — |
| leases:write | ✓ | ✓ | ✓ | ✓ | — | — | — |
| tenants:read | ✓ | ✓ | ✓ | ✓ | — | — | — |
| tenants:write | ✓ | ✓ | ✓ | ✓ | — | — | — |
| team:read | ✓ | ✓ | ✓ | — | — | — | — |
| team:write | ✓ | ✓ | ✓ | — | — | — | — |
| reports:read | ✓ | ✓ | ✓ | — | ✓ | — | — |
| ledger:read | ✓ | ✓ | ✓ | — | ✓ | — | — |