This section is a high-level explanation of the ScaffoldHub roles and permissions. For low-level and implementation, refer to the Architecture > Security section.

Both frontend and backend validate permissions. On the backend, the validation happens on each endpoint.

To understand ScaffoldHub security, you must understand those concepts:


Permission is very specific actions users can perform. Examples are customer create, audit log read, or user delete.


A role is a group of permissions. For example, an admin (role) can create users (permission), view audit logs (permission), etc.

Out-of-the-box ScaffoldHub has two roles: Admin and Custom. The idea is that you manually create more roles based on your business context.

Users, Workspaces (Tenants), and Roles

Users can have multiple roles in multiple tenants. For example, a user can be a viewer (role) and an entity editor (role) on Workspace A (workspace), and an admin (role) on Workspace B (workspace).


For this demonstration, we will have the following setup: with the admin role. with the custom role.

The admin role has all the permissions.

The custom role has permission to read customers, create customers, and read products.