Access controls and permissions

How SRA enforces role-based access so users can only see and do what their role permits.

SRA uses role-based access control (RBAC) enforced at the API level — not just in the UI. Even if a user navigates directly to a restricted URL, the server will reject the request.

Key access boundaries

Teachers cannot access other teachers' mark entries
Teachers cannot access student records, reports, or analytics
Academic Officers cannot manage user accounts
School Admins cannot access other schools' data

Access control is enforced on every API request, not just on page load. Bypassing the UI does not bypass permissions.

PreviousData encryption and storage Next Understanding audit logs