Roles & Permissions

Catch-e uses a role-based access model to control what users can see and do within the system. Access is not defined purely by screens, but by a combination of role assignments, permission rules, and data-level restrictions tied to client, driver, or group relationships.

The system operates across three layers: the user environment, the hosting infrastructure, and the Catch-e application itself. Together, these ensure secure access, controlled data visibility, and consistent system behaviour.

User environment

Users access Catch-e through a web browser on a PC or laptop, supported by an internet connection and basic communication tools such as email and telephone.

Because Catch-e is delivered as a web application, the browser is the primary interface. No local installation is required.

Hosting environment

The system is hosted in a secure clustered environment running Linux, with a MySQL database and PHP application layer.

This environment is protected by firewalls and supported by backup and restore processes, with ongoing monitoring, technical support, and infrastructure maintenance provided by the hosting provider.

Catch-e application layer

Catch-e itself operates as the application layer sitting on top of the hosted infrastructure.

It is delivered via secure internet connections and maintained through a combination of development, support services, documentation, and system administration tools.

User access model

Access is controlled through roles and permissions assigned at both functional and data levels.

While predefined roles exist, these can be tailored per database depending on organisational requirements. Roles determine what a user can access, but also what actions they can perform within those areas (view, edit, post, create, delete).

User types overview

The table below summarises the main user types and their typical access patterns.

User Type	Description	Typical Access
Super	Full system administrator	Unrestricted access across all modules and configuration areas
Admin	User administration role	Can manage users and system access settings
User	Standard internal user	Operational access; limited finance/lease visibility depending on contract type; no export access
Accounts	Finance operational user	Access to finance, lease screens, card services, and fleet/import data
Finance	Extended finance role	Includes Accounts access plus client defaults, financier setup, and configuration screens
Manager	Internal management role	Broader operational visibility including fleet and import functions
State Manager	Regional oversight role	Can manage and edit events; restricted from finance and lease screens
Procurement	Purchasing and setup role	Access to quoting, reference data, and fleet administration functions
Warehouse	Maintenance-only user	Restricted to maintenance viewing and related functions
Disposals	Vehicle disposal role	Same as User plus access to sale management (some financial fields read-only)
Demo	Test/training role	Used for demonstration and training environments
Fleet Manager (External)	Client-based fleet oversight	Read-only access restricted to assigned client
Group Manager	Multi-client external manager	Access restricted to assigned client group
Driver	External novated driver	Access limited to own driver record and related data
Introducer	Sales/partner role	Can create quotes, manage clients, suppliers, drivers, and selected fleet modules
Quotes Consultant	Full quoting and contract workflow role	Access to quoting, contracts, drivers, clients, suppliers, and order management
Package Employee	Salary packaging end user	Access to own salary packaging data and reports
Package Employer	Employer view role	Access to employees within their organisation only
Package Advisor	Advisor role	Access limited to linked employees; receives notifications for login-enabled employees

Permission model (future direction)

The system is evolving toward a more granular permission structure where each role can be assigned specific actions per screen, such as:

no access
view only
edit and post existing records
full access including create, edit, post, and delete (where applicable)

This allows more precise control over user behaviour without increasing role complexity.

Access restrictions and controls

In addition to role permissions, some restrictions are enforced at the data and workflow level.

For example, financial fields may become read-only once dependent processes (such as payment schedules) are active. Similarly, access to records may be limited based on client, driver, or group relationships defined within the system.

These controls ensure data integrity and prevent conflicting updates.

Contingency and alternate operation modes

If system availability is disrupted, responsibility for restoration initially sits with the hosting provider, who manages recovery of infrastructure and database services.

If required, Catch-e may deploy alternative hosting or internal recovery options.

If a user loses internet connectivity, alternative access methods such as secondary connections or alternate locations should be used where available.