Access levels (report)

<aside> 🧭

Description of access levels and typical permissions in the system. First a role summary, then details.

</aside>

Role summary

Role	Access	Typical actions	Notes
Super Admin	Full (is_superuser=True)	CRUD for everything, manage permissions and groups	Require MFA, audit activity
Admin	Broad (is_staff=True + selected permissions)	CRUD in own domain, manage lower-level users	No global settings
Auditor	Read-only (can_view_*)	View data and reports	No add/edit/delete
Consumer	Read for own objects	Viewing, requests (if enabled)	Ownership-based isolation
Public user	Public data without auth	View aggregated info	No changes

Usage notes

Permission check: user.has_perm('<app>.<codename>')
Admin access: is_staff=True
Full rights: is_superuser=True (minimize number of such accounts)
Recommendation: assign via groups rather than per-user

Details

Access levels distribute responsibilities and protect the system by giving each user only what is needed. Django implements this through the User, Group, and Permission models, enabling least-privilege access and auditability at scale.

Super Admin

Description: Highest level with full control over all data and settings.
Typical privileges:
1. Full CRUD across all objects and data
2. Manage permissions and groups for others
3. Perform administrative tasks such as backups and integrations
Typical permissions: all can_view/add/edit/delete across domains