Document roles and permissions
What it is
Section titled “What it is”Documents in Syndik8 fall into two permission worlds:
- Syndicate-scoped documents (asset-level and syndicate-level). Visible to every member of the syndicate. Managed by admins.
- Pilot documents (medical and licence). Visible only to the pilot who uploaded them. Admins see a redacted summary; they never see the document itself.
This page is the single permissions reference for both worlds.
Who can use it
Section titled “Who can use it”This page describes what anyone in the system can do. Read it before assuming who can take an action.
Where to find it
Section titled “Where to find it”Permissions are enforced in two places: the app hides the buttons that don’t apply to the current member’s role, and the server refuses any operation the member’s role does not permit. Hiding the buttons is a convenience; the server-side guard is the rule.
Syndicate and asset documents
Section titled “Syndicate and asset documents”Documents attached to the syndicate or one of its assets.
| Action | Member | Admin |
|---|---|---|
| See the document in the library list | ✓ | ✓ |
| Open the document in the viewer | ✓ | ✓ |
| Share: open in the system browser to save, print, or email | ✓ | ✓ |
| Upload a new document | ✗ | ✓ |
| Replace the file backing an existing document | ✗ | ✓ |
| Edit the document’s title, type, or expiry | ✗ | ✓ |
| Delete the document | ✗ | ✓ |
| Toggle “cache this asset’s docs offline” (multi-asset syndicates only) | ✓ | ✓ |
Members never see the upload / replace / edit / delete affordances on syndicate-scoped documents. The per-asset offline toggle is a member-level preference and every member sets their own.
Pilot documents
Section titled “Pilot documents”Documents attached to a pilot: the medical certificate and the pilot licence.
| Action | The pilot themselves | Any other member | Admin of a syndicate the pilot is in |
|---|---|---|---|
| See the document in My documents | ✓ | ✗ | ✗ |
| Open the document in the viewer | ✓ | ✗ | ✗ |
| See the file at all | ✓ | ✗ | ✗ |
| Upload, replace, or delete | ✓ | ✗ | ✗ |
| See the redacted attention chip on the Members tab | n/a | ✗ | ✓ |
| See the pilot’s expiry date for the medical | n/a | ✗ | ✓ |
The attention chip is the only thing an admin ever sees about a pilot’s documents. It shows, per active member of the syndicate, whether a medical and a licence are on file, and for the medical it shows the expiry date. Admins never see the file, the title, the medical class, or any clinical information. See Admin pilot-doc attention view for the exact fields.
Behaviour rules
Section titled “Behaviour rules”- Server-side enforcement. Every action above is enforced on the server, not just in the app. The server applies the same rules to every request, regardless of where it comes from; there is no technical bypass through another route.
- No per-document ACL. Within the syndicate, every document is visible to every member of that syndicate. Documents you want only some members to see should live on My documents (which is owner-scoped) or off-platform.
- The pilot-document gate is server-side. A medical upload is refused by the server if the pilot has not first recorded their explicit consent at the current consent version. The app shows the consent screen; the server backs it up. See Medical consent.
- Deletion clears the file, the row, and the offline cache. When an admin deletes a syndicate-scoped document, the row, the storage object, and every device’s cached copy of the file all disappear (the cache cleans up the next time the device syncs). Pilot deletions behave the same for the owner’s own device and additionally clear the consent record if a medical was deleted.
- Members manage themselves. A member can leave the syndicate; admins do not need to remove pilot documents on behalf of an ex-member. Pilot documents follow the pilot’s account, not the syndicate.
Why admins don’t see the medical itself: Why medicals need explicit consent and Who sees what pilot documents.