Roles and Permissions

This guide explains the PCH-SIG roles and permissions system.

Permissions Architecture

PCH-SIG uses a granular permissions system based on the format:

module.action

Examples:

menages.view: View households
menages.edit: Edit households
transferts.cycles_create: Create payment cycles

Roles and their permissions are managed in the database via the Role entity.

Predefined Roles

ROLE_ADMIN — Administrator

Full access to the system, including user administration, roles, settings, and audit.

Module	Permissions
All	All permissions

ROLE_COORDINATEUR — National Coordinator

Coordination of national activities. Extended access to household management, beneficiaries, payments, programs, reports, and climate data.

Module	Permissions
Households	`view`, `create`, `edit`, `export`, `import`, `validate`
Beneficiaries	`view`, `create`, `edit`, `export`, `import`
Payments	`view`, `create`, `validate`, `export`
Programs	`view`, `create`, `edit`
Documents	`view`, `create`, `validate`, `export`
Reports	`view`, `create`, `export`
Climate	`view`, `create`, `edit`, `export`

ROLE_COORDINATEUR_SANTE — Health Coordinator

Coordination of health-related activities. Access to programs, health-category complaints, and reports.

Module	Permissions
Programs	`view`
Registry	`menages_view`, `beneficiaires_view`
Complaints	`view`, `categorie.sante`
Reports	`view`, `generate`

ROLE_SUPERVISEUR — Regional Supervisor

Supervision of regional activities. Read/write access to households and beneficiaries, exports, and reports.

Module	Permissions
Households	`view`, `create`, `edit`, `export`, `validate`
Beneficiaries	`view`, `create`, `edit`, `export`
Payments	`view`, `export`
Programs	`view`
Documents	`view`, `create`, `export`
Reports	`view`, `export`
Climate	`view`, `export`

ROLE_FIELD_SUPERVISOR — Field Supervisor

Field activity supervision, household validation, and complaint management.

Module	Permissions
Registry	`menages_view`, `menages_edit`, `menages_validate`, `beneficiaires_view`, `doublons_view`, `doublons_check`
Complaints	`view`, `create`
Data	`carte`
Reports	`view`

ROLE_DB_SPECIALIST — Database Specialist

User management, system maintenance, duplicate management, and KoboToolbox integration.

Module	Permissions
Admin	`users`, `roles`, `settings`, `audit`
Registry	`menages_view`, `menages_edit`, `menages_validate`, `menages_delete`, `beneficiaires_view`, `beneficiaires_edit`, `doublons_*`, `import`, `import_template`
KoboToolbox	`view`, `sync`, `configure`
Reports	`view`, `generate`

ROLE_GESTIONNAIRE_PAIEMENT — Cash Transfer Specialist

Payment management, transfer cycles, and reconciliation.

Module	Permissions
Households	`view`
Beneficiaries	`view`
Payments	`view`, `create`, `export`
Programs	`view`, `create`, `edit`, `bailleurs`
Registry	`menages_view`, `menages_edit`, `menages_delete`, `menages_doublons`, `beneficiaires_view`, `beneficiaires_edit`, `eligibilite`, `documents`
Transfers	`cycles_view`, `cycles_create`, `paiements_view`, `paiements_execute`, `recurrence`, `reconciliation`
Data	`kobo`, `carte`
Reports	`view`

ROLE_TM_SPECIALIST — Cash Transfer Specialist

Cash transfer program oversight, enrollment approval, and payments.

Module	Permissions
Programs	`view`, `edit`, `enroll`
Registry	`menages_view`, `beneficiaires_view`, `beneficiaires_edit`, `eligibilite_view`, `eligibilite_evaluate`
Transfers	`cycles_view`, `cycles_create`, `cycles_edit`, `cycles_validate`, `paiements_view`, `paiements_execute`, `recurrence`, `reconciliation`, `comptes_operateurs_view`, `comptes_operateurs_edit`, `cycles_documents`
Reports	`view`, `generate`
Complaints	`view`, `create`, `process`, `close`, `categorie.protection_sociale`

ROLE_RAF — Administrative & Financial Manager

Administrative and financial management, payment validation, and exports.

Module	Permissions
Households	`view`, `export`
Beneficiaries	`view`, `export`
Payments	`view`, `create`, `validate`, `export`
Programs	`view`
Reports	`view`, `create`, `export`

ROLE_DATA_ENTRY — Data Entry Operator

Household and beneficiary data entry.

Module	Permissions
Households	`view`, `create`, `edit`
Beneficiaries	`view`, `create`, `edit`
Documents	`view`, `create`

ROLE_MA — Support Measures

Field support for households.

Module	Permissions
Households	`view`, `create`, `edit`
Beneficiaries	`view`, `create`, `edit`
Documents	`view`, `create`
Climate	`view`

Complaint management and resolution, including sensitive complaints (SEA/SH/GBV).

Module	Permissions
Complaints	`view`, `create`, `process`, `close`, `sensibles_view`, `sensibles_manage`
Registry	`menages_view`, `beneficiaires_view`
KoboToolbox	`view`, `configure`, `sync`
Reports	`view`, `generate`

ROLE_SSE — Environmental Safeguards Specialist

Environmental complaint management and access to sensitive complaints.

Module	Permissions
Complaints	`view`, `create`, `process`, `close`, `sensibles_view`, `sensibles_manage`
Registry	`menages_view`, `beneficiaires_view`
Data	`carte`
KoboToolbox	`view`
Reports	`view`, `generate`

ROLE_SE — Monitoring & Evaluation

Program monitoring and evaluation. Read and export access.

Module	Permissions
Households	`view`, `export`
Beneficiaries	`view`, `export`
Payments	`view`, `export`
Programs	`view`
Reports	`view`, `create`, `export`
Climate	`view`, `export`

ROLE_ONG_FOCAL — NGO Focal Point

Focal point for NGO partners.

Module	Permissions
Registry	`menages_view`, `menages_edit`, `beneficiaires_view`
Complaints	`view`, `create`
Data	`carte`
Reports	`view`

ROLE_POINT_FOCAL_ONG — NGO Focal Point (limited access)

Access limited to the areas of their NGO.

Module	Permissions
Programs	`view`
Registry	`menages_view`, `beneficiaires_view`
Complaints	`view`, `create`
Reports	`view`

ROLE_VIEWER — Viewer

Read-only access, no modifications allowed.

Module	Permissions
Households	`view`
Beneficiaries	`view`
Payments	`view`
Programs	`view`
Documents	`view`
Reports	`view`
Climate	`view`

ROLE_USER — User

Base role assigned to every authenticated user.

Module	Permissions
Households	`view`
Beneficiaries	`view`

Permission Modules List

Module	Description
`menages`	Household management
`beneficiaires`	Beneficiary management
`paiements`	Payment management
`programmes`	Program management
`documents`	Identity documents
`rapports`	Reports and exports
`climat`	Climate data
`plaintes`	Grievance redress mechanism
`administration`	Users, roles, settings
`registre`	Social registry (households, beneficiaries, duplicates)
`transferts`	Cycles and payments (detailed view)
`kobo`	KoboToolbox integration
`donnees`	GIS map and external data
`suivi_evaluation`	Monitoring and evaluation

Permissions Verification

Backend Side (Symfony Voter)

// In a controller
$this->denyAccessUnlessGranted('menages.edit', $menage);

// In a service
if ($this->security->isGranted('transferts.cycles_validate')) {
    // ...
}

Frontend Side (React)

import { usePermissions } from '@/hooks/usePermissions';

function MenageActions({ menage }) {
    const { hasPermission } = usePermissions();

    return (
        <div>
            {hasPermission('menages.edit') && (
                <Button onClick={() => handleEdit(menage)}>
                    Edit
                </Button>
            )}
        </div>
    );
}

Creating a Custom Role

Via the Interface

Go to Settings > Roles
Click New Role
Define:
- Code: Technical identifier (e.g., ROLE_SUPERVISEUR)
- Name: Displayed label (e.g., Regional Supervisor)
- Description: Role description
- Permissions: Check the desired permissions
Save

Best Practices

Principle of Least Privilege

Assign only the necessary permissions
Start with a restrictive role and add permissions as needed
Avoid granting all permissions except for administrators

Role Organization

Create clear business roles
Document each role's responsibilities
Regularly review role assignments

Security

Limit the number of administrators
Audit permission changes via the audit log
Test restrictions on both frontend AND backend
Sensitive complaints (SEA/SH/GBV) require the plaintes.sensibles_view permission

Permissions Architecture​

Predefined Roles​

ROLE_ADMIN — Administrator​

ROLE_COORDINATEUR — National Coordinator​

ROLE_COORDINATEUR_SANTE — Health Coordinator​

ROLE_SUPERVISEUR — Regional Supervisor​

ROLE_FIELD_SUPERVISOR — Field Supervisor​

ROLE_DB_SPECIALIST — Database Specialist​

ROLE_GESTIONNAIRE_PAIEMENT — Cash Transfer Specialist​

ROLE_TM_SPECIALIST — Cash Transfer Specialist​

ROLE_RAF — Administrative & Financial Manager​

ROLE_DATA_ENTRY — Data Entry Operator​

ROLE_MA — Support Measures​

ROLE_SS_SPECIALIST — Social Safeguards Specialist​

ROLE_SSE — Environmental Safeguards Specialist​

ROLE_SE — Monitoring & Evaluation​

ROLE_ONG_FOCAL — NGO Focal Point​

ROLE_POINT_FOCAL_ONG — NGO Focal Point (limited access)​

ROLE_VIEWER — Viewer​

ROLE_USER — User​

Permission Modules List​

Permissions Verification​

Backend Side (Symfony Voter)​

Frontend Side (React)​

Creating a Custom Role​

Via the Interface​

Best Practices​

Principle of Least Privilege​

Role Organization​

Security​

Next Steps​