Ambulant+ Admin
Settings

Roles & Access

Assign a role preset or define custom scopes. Scopes are normalized to the canonical catalog on save.

Policy map
Canonical catalog + legacy alias normalization enabled
Legacy scope names are auto-mapped to canonical names where possible. Unknown scopes are surfaced so you can migrate safely.
RBACPrivileged actions must audit

Role Presets

Presets from lib/authz. You can “migrate to custom” to harmonize.

9 presets
  • Super Admin
    30 unknown
    Full platform access.
    30 scopes30 unknown
    View scopes
    Normalized
    dashboard.view patients.read clinicians.read cases.read orders.read analytics.view reports.view insurance.view promotions.manage consult.view ops.labs ops.pharmacies ops.careport ops.medreach logistics.riders logistics.phlebs devices.view dev.sdk dev.upload admin.clinicians admin.patients admin.shop settings.general settings.roles settings.plans settings.consult settings.insurance settings.payouts settings.insightcore settings.shop
    Raw
    dashboard.view patients.read clinicians.read cases.read orders.read analytics.view reports.view insurance.view promotions.manage consult.view ops.labs ops.pharmacies ops.careport ops.medreach logistics.riders logistics.phlebs devices.view dev.sdk dev.upload admin.clinicians admin.patients admin.shop settings.general settings.roles settings.plans settings.consult settings.insurance settings.payouts settings.insightcore settings.shop
    Unknown scopes won’t match enforcement. Use “Migrate → Custom” then remove/replace unknowns.
  • Admin
    19 unknown
    Operational administration.
    19 scopes19 unknown
    View scopes
    Normalized
    dashboard.view patients.read clinicians.read cases.read orders.read analytics.view reports.view insurance.view consult.view ops.labs ops.pharmacies ops.careport ops.medreach devices.view admin.clinicians admin.patients settings.general settings.roles settings.consult
    Raw
    dashboard.view patients.read clinicians.read cases.read orders.read analytics.view reports.view insurance.view consult.view ops.labs ops.pharmacies ops.careport ops.medreach devices.view admin.clinicians admin.patients settings.general settings.roles settings.consult
    Unknown scopes won’t match enforcement. Use “Migrate → Custom” then remove/replace unknowns.
  • Medical
    13 unknown
    Clinical view & ops.
    13 scopes13 unknown
    View scopes
    Normalized
    dashboard.view patients.read clinicians.read cases.read orders.read consult.view ops.labs ops.pharmacies ops.careport ops.medreach analytics.view reports.view devices.view
    Raw
    dashboard.view patients.read clinicians.read cases.read orders.read consult.view ops.labs ops.pharmacies ops.careport ops.medreach analytics.view reports.view devices.view
    Unknown scopes won’t match enforcement. Use “Migrate → Custom” then remove/replace unknowns.
  • Tech & IT
    6 unknown
    Devices, SDK, InsightCore.
    6 scopes6 unknown
    View scopes
    Normalized
    dashboard.view devices.view dev.sdk dev.upload settings.insightcore analytics.view
    Raw
    dashboard.view devices.view dev.sdk dev.upload settings.insightcore analytics.view
    Unknown scopes won’t match enforcement. Use “Migrate → Custom” then remove/replace unknowns.
  • Finance
    5 unknown
    Financial analytics & payouts.
    5 scopes5 unknown
    View scopes
    Normalized
    dashboard.view analytics.view reports.view settings.payouts orders.read
    Raw
    dashboard.view analytics.view reports.view settings.payouts orders.read
    Unknown scopes won’t match enforcement. Use “Migrate → Custom” then remove/replace unknowns.
  • HR
    4 unknown
    People admin.
    4 scopes4 unknown
    View scopes
    Normalized
    dashboard.view admin.clinicians clinicians.read reports.view
    Raw
    dashboard.view admin.clinicians clinicians.read reports.view
    Unknown scopes won’t match enforcement. Use “Migrate → Custom” then remove/replace unknowns.
  • Compliance
    6 unknown
    Read-only oversight & reports.
    6 scopes6 unknown
    View scopes
    Normalized
    dashboard.view reports.view analytics.view patients.read cases.read orders.read
    Raw
    dashboard.view reports.view analytics.view patients.read cases.read orders.read
    Unknown scopes won’t match enforcement. Use “Migrate → Custom” then remove/replace unknowns.
  • Reports & Research
    5 unknown
    Data access for insights.
    5 scopes5 unknown
    View scopes
    Normalized
    dashboard.view reports.view analytics.view patients.read cases.read
    Raw
    dashboard.view reports.view analytics.view patients.read cases.read
    Unknown scopes won’t match enforcement. Use “Migrate → Custom” then remove/replace unknowns.
  • R&D
    4 unknown
    Innovation & experiments.
    4 scopes4 unknown
    View scopes
    Normalized
    dashboard.view settings.insightcore analytics.view dev.sdk
    Raw
    dashboard.view settings.insightcore analytics.view dev.sdk
    Unknown scopes won’t match enforcement. Use “Migrate → Custom” then remove/replace unknowns.

Custom Scopes

Build scopes using the catalog below. Space or comma separated.

0 selected
Recommended operator presets
Convenience templates aligned to the canonical catalog. They do not alter lib/authz presets.
Scope catalog
Toggle scopes to build the custom list. These are the canonical names your APIs should enforce.
Settings
Tenant-scoped configuration (identity, branding, defaults).
Reports
Lifecycle + permission model as documented in Reports governance.
Payouts & Finance
Payout runs, approvals, exports and refunds.
Operations
Dispatch workflows and support operations.
Compliance
Credentialing verification, audits, and exports.
Enforcement plan: implement requireScope(actor, scope, { tenantId, orgId, practiceId, patientId }) in API routes, and write immutable audit events for privileged actions when admin audit is enabled.