Admin & RBAC#
Role-Based Access Control (RBAC) in Task Dashboard is managed through the Django admin interface.
Concepts#
- Django Groups
Standard Django groups used as the primary RBAC unit. Users are assigned to groups, and groups receive permissions.
- External Groups
Groups auto-discovered from connected services (e.g., Zammad groups, GitLab projects, EspoCRM teams). These are created automatically when tasks are fetched.
- Service Permissions
Link a Django Group to a ServiceConfiguration with a default access level. Acts as a fallback when no TaskPermission matches.
- Task Permissions
Link a Django Group to a specific ExternalGroup with a fine-grained access level.
Access Levels#
Level |
Behaviour |
|---|---|
|
See all tasks in the matched group/service. |
|
See own tasks plus unassigned tasks. |
|
See only tasks assigned to the current user. |
|
No access — tasks from this group/service are hidden. |
Configuring Access#
Navigate to Admin → Access Control → Groups.
Open a group to edit it.
Under Service Permissions, add a row linking the group to a ServiceConfiguration and set the default level.
Under Task Permissions, add rows for specific ExternalGroups with finer levels.
Task Permission takes precedence over Service Permission when both match.
SSO Group Sync#
When Keycloak OIDC is configured, groups from the token are automatically synced to Django groups on each login.
SSO Default Fallback — Always assign new SSO users to this group if they are not found in the token.
Configure these in Admin → Configuration → Global Settings.
Note
SSO sync only removes groups that SSO itself previously assigned (tracked via the SSOGroup marker model).
Manually assigned groups are never removed by SSO sync.