Google Sign-In Required

Use your company Google account to access the BetterFleet private content.

Back to private home

BetterFleet Support Private
Skip to content
BetterFleet Dev Wiki
Overview
Initializing search
    bf-dev
    • Home
    • Product Capabilities
    • Process
    • Current Work
    • System Design
    • Software Reference
    • Operations
    bf-dev
    • Home
      • Overview
      • Manage
      • Overview
      • Product Engineering Workflow
      • Product Engineering Delivery
      • Product Engineering Workflow in Linear
        • GitLab Feature Flags
        • In-App Docs Authoring
        • Release Notes
      • Templates
      • Publishing
      • Workflow Companions
      • Overview
      • Active Artifacts
      • Backlog Artifacts
      • Archived Artifacts
      • Overview
      • Microgrid
      • OSCP
        • Challenge
        • Specification
        • Spec
        • Architecture
        • Overview
        • Script Runtime Model
        • Compose Profiles and Modes
        • Repo Topology
        • CI and Release Integration
        • Overview
        • Internal Application Diagrams
          • Overview
            • End to End Flow
            • Control Layers
            • Important design note
          • Web Model
          • Core Model
        • Service Interaction Flows
        • Data and State
          • Index
          • bf-manage-web
          • bf-manage-core
          • bf-manage-connect
          • bf-manage-sitepwrmon
          • bf-manage-incidents
          • bf-telematics
          • bf-depot-sim
          • bf-manage-roaming
          • bf-support-microsite
          • bf-digital-twin
          • bf-schedule-creator
        • Overview
        • Internal Application Diagrams
        • Migration and Flags
        • Simulation Request Lifecycle
          • Index
          • bf-bnl-ui
          • bf-bnl-settings
          • bf-bnl-schedule-analysis-compute
          • bf-route-modelling
          • bf-schedule-creator
          • bf-digital-twin
        • Overview
        • Secrets and Env Strategy
        • Vendors and Local Dependencies
        • ADRs
        • Service Matrix
        • Cloud Dependencies
        • Ports and URLs
      • Onboarding
      • Daily Operations Runbook
        • Overview
        • Staging Hotfix Release
        • Production Hotfix Release
        • Terraform Plan Dry Runs
      • Troubleshooting
      • Testing Guide
    • End to End Flow
    • Control Layers
    • Important design note

    Manage Authorization and Permissions¶

    This section documents the actual authorization model currently implemented across:

    • bf-manage-web frontend auth and UI permission gating
    • bf-manage-core backend authentication and workspace-scoped authorization

    End to End Flow¶

    sequenceDiagram
  participant User
  participant Web as manage web
  participant Amplify as aws amplify session
  participant Core as manage core
  participant Auth as authenticate and authorise
  participant Domain as api endpoint

  User->>Web: open app and trigger action
  Web->>Amplify: fetch current access token
  Web->>Core: request with bearer token and workspace headers
  Core->>Auth: authenticate token and build principal
  Auth->>Auth: authorise workspace action
  Auth->>Domain: allow endpoint execution
  Domain-->>Web: response payload

    Control Layers¶

    flowchart TD
  TokenAuth[Token authentication] --> Principal[Principal in request state]
  Principal --> WorkspaceScope[Workspace scoping]
  WorkspaceScope --> RoleCheck[Role and action checks]
  RoleCheck --> EndpointAccess[Endpoint access granted or denied]

  UiRoleGate[Frontend role gating] --> Navigation[Nav and feature visibility]
  UiRoleGate --> ActionButtons[Action button availability]

    Important design note¶

    Frontend checks are user-experience controls. Backend authorization is the enforcement boundary.

    Made with Material for MkDocs