Roles and access
Veridian Motion uses role-based access control (RBAC) backed by Supabase Auth and Row-Level Security (RLS) on every table. Staff roles are granted only by an admin — there is no self-service role elevation.Staff roles
| Role | ID | Typical access |
|---|---|---|
| Physical Therapist | pt | Assigned assessments, review, notes, plan release, messaging |
| Administrator | admin | Enrollment, assignment, role grant/revoke, MFA reset, full roster |
| Officer | officer | Operational access as configured (scoped by policy) |
| Warden | warden | Facility-level visibility as configured |
| IT Admin | it_admin | Security settings, compliance views, technical administration |
Inmate access is separate: inmates authenticate with inmate number +
PIN, not staff roles. Inmates see only their own submissions and
reviewed/shared content.
Staff authentication
All staff accounts require:- Email + password (minimum password rules enforced by Supabase Auth)
- TOTP MFA — authenticator app; six-digit code at
/mfaafter password
Role provisioning
Admins manage roles at/staff (Staff & Roles):
- Grant — assign a role to a staff email account
- Revoke — remove a role; access ends on next session
- View current role assignments and MFA status
Break-glass MFA reset
If a staff member loses their authenticator device, an admin may reset MFA for that account. After reset, the user must enroll MFA again at next sign-in. MFA resets are audit-logged.Inmate credentials
| Action | Who | Result |
|---|---|---|
| Enroll patient | Admin (or authorized role) | Inmate number + initial PIN returned to staff |
| Reset inmate PIN | Authorized staff from patient record | New PIN shown once for handoff to inmate |
| Sign in | Inmate at kiosk | Access to own submissions only |
What the app enforces vs. agency provides
| Control | Enforced by Veridian Motion | Provided by agency |
|---|---|---|
| Role-based UI and API access | Yes | — |
| RLS on database tables | Yes | — |
| Staff MFA | Yes | — |
| Audit log of sensitive actions | Yes | — |
| CJIS / FedRAMP hosting environment | — | Yes |
| MDM device lockdown | — | Yes |
| Personnel screening / background checks | — | Yes |
| Physical kiosk supervision | — | Yes |
What’s next
Role permissions
Full permission matrix by role.
Provider dashboard
Day-to-day clinical workflow.
Security overview
Compliance posture and honest framing.
