> ## Documentation Index
> Fetch the complete documentation index at: https://docs.veridianhp.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Role permissions

> What each staff role can and cannot do in Veridian Motion.

# Role permissions

Veridian Motion uses five staff roles plus separate **inmate** access. This
page lists concrete permissions as built today. Officers and wardens receive
**least-privilege** defaults; your agency may restrict further.

<Note>
  All staff roles require **email + password + TOTP MFA**. Roles are granted
  only by an **admin** at `/staff`.
</Note>

## Permission matrix

| Action                           | pt                | admin  | officer | warden | it\_admin |
| -------------------------------- | ----------------- | ------ | ------- | ------ | --------- |
| Sign in to dashboard             | Yes               | Yes    | Yes     | Yes    | Yes       |
| View patient roster              | Assigned + policy | Yes    | Scoped  | Scoped | No        |
| Enroll patient                   | No                | Yes    | No      | No     | No        |
| Reset inmate PIN                 | No                | Yes    | No      | No     | No        |
| View unassigned queue            | No                | Yes    | No      | Scoped | No        |
| Assign case to PT                | No                | Yes    | No      | No     | No        |
| Review assessment (clinical)     | Yes (assigned)    | No     | No      | No     | No        |
| View AI findings / red flags     | Yes (assigned)    | Yes    | No      | No     | No        |
| Edit and release exercise plan   | Yes (assigned)    | No     | No      | No     | No        |
| Mark reviewed / needs\_followup  | Yes (assigned)    | No     | No      | No     | No        |
| AI note summarization            | Yes               | No     | No      | No     | No        |
| Export assessment PDF            | Yes               | Yes    | No      | No     | No        |
| Email PDF to allowlist           | Yes               | Yes    | No      | No     | No        |
| Secure messaging (clinical)      | Yes (assigned)    | Policy | No      | No     | No        |
| Grant / revoke staff roles       | No                | Yes    | No      | No     | No        |
| Break-glass MFA reset            | No                | Yes    | No      | No     | Yes       |
| Audit log (`/audit`)             | No                | Yes    | No      | Scoped | Yes       |
| Compliance views (`/compliance`) | No                | Yes    | No      | Scoped | Yes       |
| Security settings (`/security`)  | No                | No     | No      | No     | Yes       |

**Scoped** = read-only or summary visibility per agency configuration — not
full clinical notes or AI output unless explicitly granted.

## Role summaries

### Physical Therapist (`pt`)

Primary **clinical user**. Reviews **assigned** assessments only: red flags,
photos, AI triage support, draft plans. Edits bodyweight exercise plans,
writes notes, marks **reviewed** or **needs\_followup**, messages assigned
patients, exports PDFs. Cannot enroll inmates or grant roles.

### Administrator (`admin`)

**Operational owner.** Enrolls patients, assigns cases from the unassigned
queue, resets inmate PINs, grants/revokes roles, performs MFA reset, views
roster and audit logs. Does **not** replace PT clinical sign-off on plan
release unless also holding a `pt` role.

### Officer (`officer`)

**Custody operations.** Typically no clinical review, enrollment, or messaging.
May have roster visibility for operational coordination depending on deployment.
Escorts inmates to kiosk; does not review AI output.

### Warden (`warden`)

**Facility oversight.** May have summary visibility into queue volume, status
distribution, or compliance reports — not full clinical detail by default.
Does not perform PT review or enrollment unless also granted `admin` or `pt`.

### IT Admin (`it_admin`)

**Technical administration.** Security settings, compliance tooling, MFA
break-glass with admin. Does not perform clinical review or inmate enrollment
by default.

## Inmate (not a staff role)

| Action                                      | Allowed |
| ------------------------------------------- | ------- |
| Sign in with number + PIN                   | Yes     |
| Complete kiosk intake                       | Yes     |
| View own submission status                  | Yes     |
| View approved plan after **reviewed**       | Yes     |
| View PT notes marked **shared with inmate** | Yes     |
| Reply in secure messaging threads           | Yes     |
| View AI findings before PT review           | **No**  |
| Self sign-up or change PIN                  | **No**  |
| Access other inmates' data                  | **No**  |

## Enforcement

Permissions are enforced at two layers:

1. **Application UI and API** — role checks on staff actions
2. **Postgres Row-Level Security** — inmates and staff queries scoped at the
   database; cross-inmate access denied even if UI is bypassed

Role changes and MFA resets are **audit-logged**.

## What's next

<CardGroup cols={2}>
  <Card title="Roles and access" icon="key" href="/veridian-motion/roles-and-access">
    MFA, provisioning, break-glass reset.
  </Card>

  <Card title="Getting started" icon="rocket" href="/veridian-motion/getting-started">
    Rollout checklist for admins.
  </Card>

  <Card title="For evaluators" icon="clipboard-check" href="/veridian-motion/for-evaluators">
    One-page guide for decision-makers.
  </Card>
</CardGroup>
