Gerenderde documentatie
Deze pagina rendert de Markdown en Mermaid van de module direct vanuit de publieke documentatiebron.
Overview#
The Persona Permission Bundles module provides one-click user provisioning through predefined bundles of roles, permissions, and feature flag domains. Instead of manually configuring individual roles and permissions for each user, administrators select a persona that encapsulates the complete access profile for a job function. The system ships with seven default personas covering common operational roles and supports custom persona creation for organisation-specific requirements.
Personas reduce provisioning time from minutes of manual configuration to a single action, while ensuring consistent access profiles across users performing the same function.
Key Features#
-
Default Persona Library - Seven built-in personas cover the most common operational roles: Intelligence Analyst, Case Manager, Evidence Reviewer, Platform Administrator, Viewer, Field Responder, and Surveillance Operator. Each default persona includes a curated set of roles, granular permissions, and feature flag domains validated for that job function.
-
Custom Persona Creation - Administrators create organisation-specific personas with custom combinations of roles, permissions, and feature flag domains. Custom personas are scoped to the creating tenant and do not affect other organisations. Only platform administrators can modify default personas.
-
Apply Modes - When applying a persona to a user, administrators choose between replace mode (the persona's roles and permissions completely replace the user's current configuration) and union mode (the persona's roles and permissions are merged with the user's existing configuration). Union mode is useful for granting additional capabilities without removing existing access.
-
Feature Flag Domain Provisioning - Personas include feature flag domains that are automatically applied to the user through the feature flag service when the persona is activated. This ensures users gain access to the correct platform capabilities without separate feature flag configuration.
-
Privilege Escalation Guards - Non-platform administrators are blocked from applying personas that contain privileged roles (superuser, knogin_admin, si_admin, internal_service) or the admin:full-access permission. Cross-tenant persona application is restricted to platform administrators only.
-
Audit Trail - Every persona application generates an audit log entry recording who applied the persona, which user received it, which persona was applied, and the apply mode used.
Use Cases#
- New Employee Onboarding - Apply the appropriate persona to a new user account in a single action, granting them the complete set of roles, permissions, and feature access for their job function without manual configuration.
- Role Transitions - When a user changes job functions, apply the new persona in replace mode to cleanly transition their access profile from one role to another.
- Temporary Capability Grants - Use union mode to temporarily add capabilities from a specialist persona (such as Evidence Reviewer) to a user who normally operates under a different profile.
- Standardised Access Profiles - Ensure all users performing the same function have identical access configurations by provisioning through a shared persona rather than individual manual setup.
Integration#
The Persona module integrates with the RBAC system for role and permission assignment, the feature flag service for domain-level feature provisioning, and the audit logging pipeline for compliance tracking. Persona management is available through the admin user interface in the user edit modal and through the REST API.
Last Reviewed: 2026-04-02