Access is named-user and least-privilege: no shared accounts, every action attributed, and external surveyors restricted to only the properties assigned to them. Each role lands on the area relevant to its job and is guarded from the rest.
The role matrix
| Role | Lands on | Can | Scope / cannot |
|---|---|---|---|
| System administrator | Admin | Manage users and roles; see the role matrix | Governs access; not a field capture role |
| Survey manager | Manage | Assign survey batches, pre-load packs, monitor sync | Cannot accept their own surveys through QA |
| Internal surveyor | Surveys | Capture assigned surveys, photos, issues offline | Sees only assigned properties |
| External supplier surveyor | Surveys | Capture assigned surveys offline | Restricted to an allow-list of assigned UPRNs only — never the wider portfolio |
| QA reviewer | QA | Accept / reject submitted surveys with comments | Read-only on capture; decisions are audited |
The principles behind it
- Named users, not shared logins — every capture, photo, QA decision and sync event is attributed.
- Least privilege — each role sees only the lanes its job requires; wrong-role deep links are blocked.
- Per-scope restriction — external surveyors are scoped to an explicit UPRN allow-list.
- Offline identity — sign-in works from a cached identity so field work continues with no signal.
- SSO/MFA-ready — built to wire into single sign-on, multi-factor auth and remote revocation for production.
Maker-checker by design
The QA reviewer role is the maker-checker gate: a survey only updates the live record after an independent reviewer accepts it — the same shape that generalises to delegated-partner assurance.
Sources & further reading
- 1. Data protection by design and default — Information Commissioner's Office
- 2. Access control guidance — National Cyber Security Centre