Roles & Permissions¶
Overview¶
Nigall uses a combination of account type, subscription plan, event host ownership, and module-specific approval roles to control access.
Purpose¶
Ensure organizers, participants, and third-party stakeholders see only the tools and data appropriate to their role—while allowing Nigall platform staff to administer approval queues.
Who should use it¶
- Organization admins defining who can access Tools
- Organizers delegating day-of operations
- Platform administrators configuring approval workflows
Benefits¶
- Least-privilege access by default
- Event-scoped management (host-only unless staff)
- Plan-based tool unlock without blocking free event creation
Role reference table¶
| Role | How assigned | Event management | Tools access |
|---|---|---|---|
| Guest (anonymous) | Not signed in | View public events; guest RSVP on free RSVP events | None |
| Participant / Attendee | Default user_type=participant |
RSVP/register; view tickets | Hub, Attendees, Program, Communications (plan-gated) |
| Organizer | user_type=organizer OR has hosted events |
Full host controls on own events | All tools per subscription plan |
| Event planner | user_type=event_planner OR has planner profile |
Full host controls; CRM at /planner/ |
All tools per plan; CRM requires Planner Pro |
| Client viewer | Added to Event.client_viewers |
Read-only on assigned events | None |
| Venue manager | user_type=venue_manager |
Venue directory & bookings | Hub + Venues |
| Exhibitor | user_type=exhibitor or exhibitor profile |
Own applications & booth | Hub + Exhibitors |
| Vendor | user_type=vendor |
Own stall applications | Hub + Vendors |
| Platform admin | is_staff=True |
All events (admin queues) | All tools, no plan gate |
| Super admin | is_superuser=True |
Django admin + all | Unrestricted |
Event-scoped permissions¶
| Action | Host | Client viewer | Staff | Guest | Other authenticated user |
|---|---|---|---|---|---|
| Edit event | ✅ | ❌ | ✅ | ❌ | ❌ |
| View event (read-only client panel) | ✅ | ✅ | ✅ | ❌ if not invited | Per visibility |
| View private event | ✅ | ✅ if viewer | ✅ | ❌ if not invited | ❌ |
| Manage survey questions | ✅ | ❌ | ✅ | ❌ | ❌ |
| RSVP / register | ✅ (as guest flow if not host view) | ❌ | ✅ | ✅ (if allowed) | ✅ |
| Guest list / check-in | ✅ | ❌ | ✅ | ❌ | ❌ |
| Module dashboards (exhibitors, etc.) | ✅ | ❌ | ✅ (admin approval) | Module-specific | Module-specific |
Note: When viewing an event as host, the registration sidebar shows Edit Event and module shortcuts—not the guest RSVP form. To preview guest experience, use incognito or a test account.
Module approval types¶
Each module supports approval_type:
| Value | Behavior |
|---|---|
auto |
Application approved immediately |
organizer |
Host reviews on event dashboard |
admin |
Nigall staff reviews at /exhibitors/admin/review/ (etc.) |
Subscription plan tool unlock¶
| Plan | Unlocked tools |
|---|---|
| Free / Essentials | Attendees, Program, Communications |
| Presenter Pro | + Speakers, Talent, Venues |
| Operations Suite | + Volunteers, Vendors, Sponsors |
| Planner Pro | + Event Planner CRM (includes Operations Suite tools) |
| Enterprise | + Exhibitors (contact sales) |
Function: users/subscription_plans.py — user_has_tool_access().
Validation rules¶
- Host-only views use
event.host == request.userorcan_manage_*service helpers - Private event API/detail requires authentication as host for mobile API
Best practices¶
- Use a dedicated test attendee account to validate RSVP and survey flows
- Assign Operations Suite to team members managing vendors/sponsors/volunteers
- Use admin approval only when compliance requires Nigall review
Common mistakes¶
- Assuming co-organizer access — only
event.hostis supported natively; use shared login or future org roles - Staff account for routine hosting — creates unnecessary access breadth
FAQs¶
Can exhibitors see attendee PII?
Only what you expose via exhibitor lead capture after opt-in scan.
Do volunteers need a paid plan?
Organizer needs Operations Suite; volunteers use free accounts to apply.
Related features¶
Administrator notes¶
Superusers access /admin/ for model-level overrides. Staff use module-specific admin review lists.
Developer/API notes¶
- Mobile JWT: user identity only; event host checks on detail endpoints for private events
- Talent API: account UUID scoping on
/api/v1/
Related: Platform Overview · Navigation