# Security Clearances and Access This reference article explains how Geotab security clearances control what each user sees and can do inside the FleetFusion Geotab Add-In. It is aimed at administrators who manage user permissions and at technical readers who want to understand the gating model. ## Overview The add-in does not have its own permissions system. Instead, it reads each user's **Security Clearance** from MyGeotab and uses that to decide which modules to show and which actions to allow. Permissions are always set in the MyGeotab admin UI under **Administration → Users → Security Clearances**; the add-in mirrors them automatically. There are two inputs to every access decision: 1. The user's **Geotab Security Clearance** (e.g. Administrator, Default User, Drive App User, or a tenant-defined custom clearance). 2. The user's **Driver flag** in Geotab (`IsDriver=true` for users assigned the Driver role). The add-in evaluates a small set of rules against these two inputs to grant or deny access to each module. ## How a decision is made When a user opens an add-in page, the gating logic checks the following in order. The first matching rule wins. ### Rule 1: Administrator override If the user's clearance includes the `Everything` security identifier (the rule that grants Administrator clearance), they pass every check. Administrators always see all modules and can perform every action. ### Rule 2: Driver or non-driver sentinel Some modules grant access based on whether the user is a driver: * A module marked **driver-readable** lets through any user with the Geotab Driver flag set. * A module marked **non-driver-readable** lets through any non-driver user with a known clearance. This is how the add-in lets drivers submit walk-around checks and fuel logs without giving them backend administrator permissions. ### Rule 3: Specific identifier match Modules that gate by specific actions check for individual security identifiers (such as `MaintenanceWorkOrderEdit` or `AdministerUser`). If the user's clearance includes the required identifier, access is granted. ### Rule 4: Unknown clearance safety net If the user has not yet been observed by the background sync (for example, a newly added MyGeotab user appearing before the next sync cycle), the add-in falls back to a small set of safe defaults so drivers can keep working. Most modules deny access during this window. The window typically lasts under 30 seconds. ## Built-in clearances at a glance MyGeotab ships with seven built-in security clearances. The table below summarises how each one experiences the add-in. | Geotab Clearance | What they see in the add-in | | ------------------ | ---------------------------------------------------------------------------------------------- | | **Administrator** | Full access. All modules read and write, including Settings and Workshop Settings. | | **Supervisor** | All operational modules read and write. Cannot edit Settings or Workshop Settings. | | **Default User** | All operational modules read. Limited write. No settings access. | | **View Only** | Read-only access to operational modules. No writes anywhere. | | **Drive App User** | Driver mode. Can read driver-relevant pages and submit walk-arounds, fuel logs, and incidents. | | **View Map Only** | Map visibility only. Most modules show an Access Denied message. | | **Nothing** | Almost no access. Used as a base for restricted custom clearances. | > **Note:** Custom clearances defined in your MyGeotab tenant work the same way. The add-in reads their `securityFilters` list from MyGeotab and applies the rules above. ## Module-by-module reference The next table lists every add-in module, the page it loads, and the access requirements. Rows are grouped to make the pattern easier to read. ### Driver-readable modules These modules let both drivers and non-drivers read. Drivers can also write to a small subset (defects, fuel logs, incidents). | Module | Page | Read requires | Write requires | | ------------------ | ------------------ | -------------------- | ----------------------------------------------- | | Dashboard | `dashboard.html` | Driver or Non-driver | Administrator only | | Vehicles | `vehicles.html` | Driver or Non-driver | `AdministerDevice` or `AdministerAsset` | | Maintenance | `maintenance.html` | Driver or Non-driver | `MaintenanceRequestEdit` | | Walk-around Checks | `defects.html` | Driver or Non-driver | Driver, `DvirLogPerform`, or `DvirLogAdmin` | | Media | `media.html` | Driver or Non-driver | `AdministerMediaFiles` or `DeleteRecordedVideo` | | Fuel Logs | `fuellogs.html` | Driver or Non-driver | Driver or `AdministerFuelTransactions` | | Incidents | `incidents.html` | Driver or Non-driver | Driver or `AdministerExceptionEventReview` | ### Non-driver-only modules These modules are hidden from drivers. Non-driver users can read; specific identifiers gate write. | Module | Page | Read requires | Write requires | | ------------------ | ------------------ | -------------------------------------- | -------------------------------------------------------------- | | Drivers | `drivers.html` | Non-driver, `ViewUser`, or `ListUsers` | `AdministerUser` | | Documents | `documents.html` | Non-driver | `AdministerBinaryDataFiles` | | Tolls | `tolls.html` | Non-driver | Non-driver | | PCN Fines | `pncfines.html` | Non-driver | Non-driver | | Fees | `fees.html` | Non-driver | Non-driver | | Coaching | `coaching.html` | Non-driver | Administrator only | | Work Queue | `workqueue.html` | Non-driver | Non-driver | | Workshop (cluster) | `workshop.html` | Non-driver | `MaintenanceWorkOrderEdit` or `MaintenanceWorkOrderFullAccess` | | Workshop Dashboard | inside Workshop | Non-driver | as Workshop | | Workshop Diary | inside Workshop | Non-driver | as Workshop | | Workshop Bookings | inside Workshop | Non-driver | as Workshop | | Workshop Job Cards | inside Workshop | Non-driver | as Workshop | | Tyres | inside Maintenance | Non-driver | `MaintenanceRequestEdit` or `MaintenanceWorkOrderEdit` | ### Administrator-only modules These modules are restricted to users with the Administrator clearance. | Module | Page | Read requires | Write requires | | ----------------- | ----------------------- | ------------------ | ------------------ | | Settings | `settings.html` | Administrator only | Administrator only | | Workshop Settings | `workshopsettings.html` | Administrator only | Administrator only | ## What drivers can actually do After all rules resolve, drivers can write to exactly three modules: 1. **Walk-around Checks (DVIR)** — submit a daily check against any vehicle they have access to. 2. **Fuel Logs** — log fuel or EV charging transactions. 3. **Incidents** — report incidents from the road. Drivers can read other driver-readable pages (Dashboard, Vehicles, Maintenance, Media) but cannot edit them. ## What happens during the unknown clearance window When a new MyGeotab user signs in for the first time, the FleetFusion background sync may not yet have observed them. During this short window the add-in falls back to safe defaults so drivers can keep working without waiting for the next sync. | Module | Read during unknown window | Write during unknown window | | ---------------------------------------- | -------------------------- | ----------------------------- | | Dashboard, Vehicles, Maintenance, Media | Allowed | Denied | | Walk-around Checks, Fuel Logs, Incidents | Allowed | Allowed (drivers must submit) | | All other modules | Denied | Denied | The window typically closes within 30 seconds of first sign-in, when the next sync cycle records the user's clearance. ## Managing clearances Clearances are managed in MyGeotab, not in the add-in. To change what a user sees: 1. Sign in to MyGeotab as an administrator. 2. Open **Administration → Users**. 3. Edit the user, change their **Security Clearance**, and save. 4. Ask the user to close and reopen the add-in. The new clearance applies on the next sign-in. Changes propagate to the add-in on the next background sync cycle (within 30 seconds). For most users the change is visible immediately when they reopen the add-in. ## Troubleshooting access errors If a user reports unexpected Access Denied messages, work through the following. 1. **Confirm the user's clearance in MyGeotab.** Open the user record in MyGeotab and verify the Security Clearance is what you expect. 2. **Ask the user to refresh the add-in.** A page reload re-fetches the latest clearance. 3. **Check the user's Driver flag.** If a user is unexpectedly seeing driver-only behaviour (or being blocked from non-driver pages), the Geotab Driver flag is the cause. 4. **Verify the sync is running.** If clearances have not synced recently, the user may be in the unknown clearance window. Wait 30 seconds and refresh. 5. **For custom clearances, review the `securityFilters` list in MyGeotab.** The add-in grants access strictly on the identifiers MyGeotab returns. If problems persist, contact with the affected user's email, the module that denied access, and the time of the attempt. ## Related articles * [How Authentication Works](/geotab-add-in/reference/how-authentication-works.md) * [Differences from the FleetFusion Web Portal](/geotab-add-in/reference/differences-from-web-portal.md) * [Signing In](/geotab-add-in/getting-started/signing-in.md) * [Installing the Add-In](/geotab-add-in/getting-started/installing-the-addin.md) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.fleetfusion.ai/geotab-add-in/reference/security-clearances-and-access.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.