Permissions
Lumieos implements a role-based access control (RBAC) approach to security and permissions. All permissions are dependent on the roles and assignments given to a user. This page describes the full permissions model across the platform.
1. Region/Partner Permissions
Lumieos maintains role-based access control with permission levels set per user by region staff. Each user is assigned one of the following roles.
| Role Name | Permissions |
|---|---|
| Primary Administrator | Primary representative with all permissions. Can assign new users. |
| Administrator | Additional representative with all permissions. Cannot alter primary administrators. |
| Partner Representative | Requires manual assignment of permissions (see breakdown below). |
Permission Breakdown
Permissions are inherited — a user with “Manage” permission also has “View” and “Contact” for the same area.
Warning: The PII option is separate from general access permissions. Enabling PII allows the user to see personally identifiable information from Lumieos. Without it, only first name and last initial are shown.
| Name | Options | PII Restriction? |
|---|---|---|
| Teams | No Permissions / Can View / Can Contact / Can Manage (team status, Tableau reports, etc.) | Yes |
| Volunteers | No Permissions / Can View / Can Contact / Can Manage (volunteer status, screening, etc.) | Yes |
| Events | No Permissions / Can View / Can Contact / Can Manage (events, edit details, full event host and event day access) | N/A |
Note: Users with “View” permissions can be separately added host management permissions for an event on a per-event basis.
2. Event Host Permissions
Permissions are inherited. Each user is assigned per event, so permissions can change between events.
| Name | Options |
|---|---|
| View Teams | Checkbox — view team list and simple roster info (first name, last initial — PII safe) |
| Volunteers | No Permissions / Can View / Can Contact / Can Manage |
| Communications | No Permissions / Can View / Can Contact / Can Manage (broadcasts, chat rooms). Checkbox: Attachments — allow uploads |
Event Day Access for Hosts
Event hosts are not automatically granted event day access. Access must be manually granted per event, and Event Day must be enabled with specific interfaces activated.
Inherited Permissions
- Region/Partner staff with “Manage” Event permission automatically gain all event host and event day permissions (if event day is enabled).
- Users with other permission levels can be granted additional permissions per event.
- Permissions are additive — granting lower permissions at the event host level has no impact if the region/partner level is higher.
3. Event Day Permissions
Event Day must first be enabled per event, and the appropriate interfaces must be turned on.
Important: Granting permission to an interface on an event where that interface is not enabled will have no effect.
Interfaces
Each interface is toggled independently via checkboxes:
- Pit Admin — Team check-in, volunteer check-in, practice tables
- Score Display — Faster score updates than the public website
- Queuing — Team check-in for scheduled activities
- Referee — Pick a table and submit match scores
- Head Referee — All Referee abilities plus edit past scores, publish/unpublish, mark replays, and HR notes
- Score Entry — Scorekeeper interface with match timer, scoresheets, and edit past scores
- Game Announcer — Follows upcoming matches with team demographics and profiles
- Judge — Enter rubrics and scripts once enabled by Judge Advisor
- Judge Advisor — Judging plus judge advisor interface (awards, scripts, advancement, GP notes)
Permission Sources
- Partner/Region Staff with “Manage” Event: Full access to all enabled interfaces.
- Event Hosts: Can be granted any interface as part of their assignment.
- Volunteers: If using Lumieos for volunteer management, each role can be configured with Event Day access.
Access Timeframe
- Users (except Region/Partner staff with “Manage”) can only access Event Day the day before and the day of an event.
- Region/Partner staff with “Manage” can access Event Day at any point until the end of the season.
Ephemeral/Tokenized Logins
Users can create tokenized logins for temporary access to event day interfaces. Tokens are assigned individual permissions, limited by number of uses, and sessions are revocable. Tokens are only active during normal access times.
- Partner/Region Staff with “Manage” can create tokens for any interface.
- Event Hosts can only create tokens for permissions they currently hold.
- Volunteers can only create tokens for permissions granted via roles that have “Create Ephemeral Logins” enabled.
4. Volunteer Permissions
To be determined.
5. Team Permissions
Team access is all-or-nothing in the current version. If a user is granted access by any method, they receive full team access.
Permission Sources
- Partner/Region Staff with “Manage” Team: Can impersonate teams via the Team List.
- Team Contacts: Invited via automated Tableau invites. Removal requires manual action.
- For regions using the Invited Coaches feature, invited coaches receive the same access as Tableau coaches.
Note: Lumieos ties the roster list to permissions — if a user is on the roster, they have access.
Warning: By design, Lumieos does not automatically remove coaches who are no longer listed on Tableau reports. Manual removal is required.