Overview
Our new permissions system is designed to give administrators fine-grained control over who can access what within your organization. This flexible framework allows you to organize users into logical groups, assign them appropriate roles, and define precisely what data they can interact with. Whether you need to grant broad access across your entire organization or restrict users to specific data objects, this permission model makes it easy to implement exactly the security boundaries your team requires.
Useful Terms
User Group: A collection of users who share the same access privileges or permissions. Rather than assigning permissions individually to each user, you can create logical groups based on job functions, departments, or responsibilities, and then assign appropriate roles to these groups. When a new employee joins the organization, they can be added to the relevant user groups to automatically inherit all necessary access rights for their position.
Role: A pre-defined set of permissions, typically aligned with specific job functions or responsibilities within an organization. (e.g. scheduler, administrator, booking agent). See a full list of the roles that Spare provides here.
Access grant: the link between the group, the role, and the level of access. Think of this as the overall “permission": who has access, what they have access to, what the limitations are.
An access grant can be org-wide: see all the data related to that permission
Or object-level: see some of the data related to that permission
How will permissions work?
For the majority of users, the flow to set up permissions will be:
Create a User Group: Navigate to User Groups by select the initials icon on the left-hand side of the screen, navigate to the Settings section, and select User Groups. Click the
+ Add User Groupbutton, and enter the group name and description.Add users to the group by clicking the
+ Add membershipbutton. You can search for existing users in Spare. If you're adding a new user, you'll need to create them as a platform user first.Link the group to a role (this link is called an “access grant”) to indicate what permissions that group should have. Click the
+ Add Access Grantbutton and search for the role you want to give the group. You can add as many access grants as needed in order to give the right permissions to your group.
What if I need additional granularity?
By default, the permissions (via access grants) are scoped to be organization-wide. This means that the users' permissions are across the whole organization - e.g. a user in this group can view all fleets in the organization. If you want to limit which data the user can see/interact with (e.g. view just some of the fleets), you need object-level filtering.
When adding an Access Grant, set the scope to be Object-level, then search for the relevant object. This will limit your group to only see the object that you've selected (e.g. the fleet that you select).
Example
An agency works with an operator (Operator A) and wants to limit the visibility of those users in Spare. Specifically, the agency wants Operator A schedulers to only be able to access their own vehicles in Spare, not vehicles that belong to the Agency or other operators. The flow would be:
Create a group for the schedulers named "Operator A scheduler”
Link to the existing “scheduler” role in Spare. This allows anyone in the group to create vehicles, edit vehicles, etc - all the actions around vehicles that a “scheduler” role in Spare covers.
Set access grant to object-level. This indicates that you don’t want the schedulers to be about to create/edit/view/etc all vehicles in the customer’s organization - just specific vehicles.
Select Operator A’s vehicles as the object. This indicates which vehicles they should be able to access.