Roles & permissions
Canonical roles
Section titled “Canonical roles”The API normalises JWT role to superadmin, admin, teacher, or student. Legacy values (manager → admin, instructor → teacher) are still accepted for a transition period.
Summary
Section titled “Summary”| Area | Admin | Teacher | Student | Superadmin |
|---|---|---|---|---|
| Tenant-wide overview aggregates | yes | yes (scoped) | no | yes |
| Report job queue | yes | yes | no | yes |
GET .../reports/:type/latest (all types) | yes | yes (rows scoped to courses) | only student_learning_profile + assessment_performance (own rows / enrolled courses) | yes |
| Report CSV/JSON download | yes | yes (scoped) | no | yes |
| Viewer APIs (profiles / grades) | scope rules | scope rules | self (and allowed peers for staff) | yes |
Students never get tenant-wide aggregates for restricted report types; the API filters rows server-side.
Teaching staff and course_ids
Section titled “Teaching staff and course_ids”Teacher JWTs include course_ids when the token issuer can infer them (e.g. editing-teacher style enrollments in D1). A separate migration is only needed if your deployment requires a different mapping.
Implementation pointers
Section titled “Implementation pointers”requireRole/scopeFilterinssea-api.- Report visibility:
canAccessReportLatestplus row filtering inreport-jobs.