Drexo v0.3.0 — Roles, scopes, per-role menus + personalization
Access becomes capability × scope, organisations create custom roles with their own menu, tag-based scope arrives, and everyone can personalize their navigation (favourites, hide-for-me). Navigation-visibility hardening.
Drexo v0.3.0 — Roles, scopes, per-role menus + personalization
A big push on rights and navigation: the access model becomes legible (capability × scope), organisations can define their own roles with a dedicated menu, tag-based scope confines a member to specific zones, and everyone can finally personalize their sidebar.
Highlights
- Access = capability × scope. A member's role reads on two axes: capability (Admin, Operator, Viewer) and scope (whole organisation, or assigned zones). The role selector in Settings → Members reflects both directly.
- Custom roles. In Settings → Roles, create roles specific to your organisation ("North-zone Technician", "Town-hall Contact", "Billing Analyst"). Each rides a capability and carries its own menu.
- Per-role menus. In Settings → Navigation, choose which roles see each item. Visibility is menu curation, not access control — see "Migration".
- Tag-based scope. A member on "assigned zones" only sees devices carrying the tags you assign them (from their row in Members). Strictly bounded to your organisation.
- Navigation personalization. Hover a dashboard to pin it as a favourite (it rises to the top) or hide it for yourself. These preferences are private and affect neither other members nor permissions.
What's new
Roles and permissions
- New capability (Admin / Operator / Viewer) × scope (organisation / zones) model, derived without disruption from the existing role vocabulary.
- New Settings → Roles page: create, edit, delete custom roles (name + capability + default scope). Deleting a role does not remove members' access — they fall back to their capability's menu.
- Assign roles (built-in or custom) from Settings → Members.
Tag-based scope
- Assign one or more tags to an "assigned zones" member: they see exactly the devices carrying those tags. Until a tag is assigned, they see no devices.
Per-role navigation + personalization
- The visibility mask of an item is set per role (built-in and custom) in the navigation builder.
- Per-user favourites and hide-for-me in the sidebar, with a button to reveal hidden items.
Security
- Navigation visibility: hardening. Visibility-rule writes now go through server functions that derive the organisation from the node itself (you cannot target another organisation). A cross-organisation tampering hole was closed. The navigation-builder page is admin-only.
Migration
No manual action required — everything is additive. Important about navigation visibility: hiding an item from a role removes it from that role's menu, but does not block access to the resource (which depends on the member's capability × scope). To restrict access, use scope (tag zones), not menu hiding.