Concepts
Roles & access

Roles & access

The dashboard authenticates you via Google Sign-In (limited to @copebit.ch accounts). Your role is derived from your WorkflowMax profile + a small "bootstrap admin" allowlist.

The roles

RoleDerived fromSees
EmployeeAny authenticated @copebit.ch Google account.Personal section, Tools (Projects, AI Assistant). My Overtime appears only when overtime tracking is enabled for them.
Financial adminGranted on the Permissions page (admin-only); stored in the finance-admins table.Employee view plus read-only Team Metrics + Team Overtime. No config or admin tools, and not a WFM manager.
ManagerWFM role Administrator or PO, or a bootstrap admin email.All of the Employee view, plus the full Team section and the Admin section (Capacity Influencer, Staff).
AdminWFM role Administrator, or a bootstrap admin email.All of the above, plus Permissions (grant the financial-admin role, edit team membership) and System (WFM connect, sync, backups, restore).

is_manager, is_admin, and is_financial_admin are computed at sign-in and signed into the dashboard JWT for the session (8 h TTL). Re-sign-in if a role changes.

Bootstrap admin list

Lives in AWS Secrets Manager (the slack-bot credentials secret). A short allowlist of @copebit.ch email addresses that are always treated as managers + admins, regardless of their WFM role. Used for people who need dashboard admin access without changing their WorkflowMax profile.

Overtime eligibility

A separate flag, per staff member, toggled by a manager in Staff Admin → Overtime tracking. Independent of role:

  • A regular employee can be eligible (most are).
  • A manager can be ineligible (if they don't bill hours).

The eligibility flag is not in the JWT — it's looked up on the auth response payload at sign-in, and re-checked server-side on every request to the overtime endpoints.

What each request enforces

The dashboard JWT authorises every API call. The server-side route handlers re-check the relevant flag before answering:

  • /overtime/personal requires is_eligible(staff_uuid).
  • /metrics/team/* and /overtime/team/* require is_manager or is_financial_admin (read-only team data).
  • /overtime/admin/*, /overtime-overrides/*, /capacity-reductions/*, /billable-ops-tasks/*, /projects/* (mutations), /jobs, /time-entries, /epics* all require is_manager.
  • /admin/* and /permissions/* require is_admin.

Permissions page

Admins manage two things on Admin → Permissions:

  • Financial admins — the email allowlist for the financial-admin role (stored in DynamoDB, edited from the UI).
  • Teams — the team → staff-member mapping that groups Team Metrics and Team Overtime (stored in the teams SSM parameter, which is Terraform-managed with ignore_changes so UI edits stick).

The MCP runtime applies the same role checks — managers see all staff, regular users see only their own data.

Capacity model