Furries PH Docs
Dashboard
Platform adoption docs

Access

Permissions and Roles

How to classify who may call each route and what permission evidence is required.

AudiencePartner administrators, Event leads, Adoption leads, Integration owners
Dashboard surfacespartners.furries.ph, rego.furries.ph, EMS LAN integrations
Records touchedAPI service expectations, Auth state, Platform records

Confirm Access Before Acting

Use this guide when a route, request, response, permission model, integration, or deployment behavior needs to be understood before people rely on it. In this guide, Permissions and Roles narrows that work to how to classify who may call each route and what permission evidence is required. Because this is a access page, read it as part of the Platform adoption learning path rather than as an isolated checklist.

An API is a contract between systems. Even technical changes can affect attendee records, dashboard behavior, notifications, payments, files, or staff tools. Read the page for the decision it helps a person make, then use the steps and checks as a steady path from context to action to proof.

What This Access Model Protects

This page explains who may do something and why. Read it before assuming a logged-in user, staff member, webhook, or internal service can use a route. The intended readers are partner administrators, event leads, adoption leads, and integration owners. If the guide names a dashboard screen, service area, export, or record type, treat that name as a pointer to real operational responsibility.

  • Primary surface or service: partners-api.
  • Records or contracts involved: API service expectations, Auth state, and Platform records.
  • Main care point: Watch for using a service route with the wrong actor, changing a response another app depends on, leaking a secret, or triggering the same side effect twice.
  • Proof worth keeping: route inventory, method and path, auth model, request and response shape, platform owner confirmation, test result, consumer note, and deployment evidence.

Work From Caller To Permission

  1. Name the caller: Begin by naming the Platform adoption situation, the owner, and the exact item involved in Permissions and Roles.
  2. Check the session, token, role, or secret: Use partners-api to connect the words on the page to the screen, file, route, or service trail that people actually use.
  3. Match the permission to the record being touched: Keep API service expectations, Auth state, and Platform records in view so the work stays tied to the records or contracts it can affect.
  4. Test the allowed and denied paths: Before handing off, save proof such as route inventory, method and path, auth model, request and response shape, platform owner confirmation, test result, consumer note, and deployment evidence so an adoption lead and a non-specialist reviewer can understand what the route does and how it was verified.

Access Is Clear When

You are ready to use the rest of this page when the purpose, owner, affected information, and proof are all clear enough for a second person to review.

  1. Scope is named: The work is tied to the correct page, event, report, route, file, person, or record.
  2. Impact is understood: The operator can explain the effect on callers, records, permissions, secrets, side effects, and downstream apps.
  3. Proof is findable: The handoff points to evidence that an adoption lead and a non-specialist reviewer can understand what the route does and how it was verified.

End-to-end adoption runbook

  1. Step 1 - Name the API workflow and owner: Identify the product area, organization owner, service path, and relying team before adopting a workflow or integration.
  2. Step 2 - Read the contract in human terms: Check who can use it, what information is exchanged, what can fail, what records change, and what proof the adopting team must keep.
  3. Step 3 - Prepare auth and input deliberately: Confirm the right role, account, partner, event, and approved data before depending on the workflow.
  4. Step 4 - Use or request the route in the right environment: Use the approved dashboard, rego, LAN, or integration environment and keep credentials out of notes, screenshots, and exports.
  5. Step 5 - Check returned data and real side effects: Confirm the visible result, affected records, external action, and review evidence in plain language.
  6. Step 6 - Record tests, docs, and handoff notes: Record the owner, expected behavior, adoption evidence, and escalation path before relying on it in production.

Role classification

  1. Action 1 - Classify the route: Public, dashboard-authenticated, rego-authenticated, partner-admin, event-scoped, platform-admin, webhook, internal, or test-only.
  2. Action 2 - Find enforcement source: Link the access rules, helper, or inline check that proves the role.
  3. Action 3 - Check record scope: Verify partner ID, event ID, attendee ID, staff profile ID, or payment account scope.
  4. Action 4 - Document escalation: If only FPH staff or platform admins can call it, say why.

Permission matrix

CallerTypical route groupRequired proof
Public usercontact, public waitlist, public integration callbackvalidation, abuse controls, signed state where applicable
Attendeerego, fursonas, social, rego noticesrego session and attendee/event scope
Partner operatorevents, reports, admin, finance, HRdashboard session plus partner/event permission
Platform adminnetwork bans, org control, test toolingdashboard session plus elevated role
Systemhooks, cron, test controlsigned webhook, shared secret, or guarded internal header

All docs