User Roles & Access Control

TalentG implements a multi-tier role-based access control (RBAC) framework covering learners, mentors, operations teams, and administrators. This guide outlines the available roles, dashboard access, and enforcement patterns across the platform.

Role Architecture

Core Role System

TalentG supports 12 roles organised in an ascending permission model:

Role	Permission Level	Primary Focus	Default Landing
Free User	1	Platform discovery, baseline assessments	`/dashboard`
Paid User	2	Full AI toolkit, advanced analytics	`/dashboard`
Course Learner	3	Coursework, submissions, progression	`/learner-dashboard`
University Student	3	Academic resources, attendance	`/dashboard`
Intern	4	Internship execution, daily updates	`/intern-dashboard/assignments`
Telecaller	varies	Lead generation, call logging, follow-ups	`/telecaller/dashboard`
Senior Telecaller	varies	Telecaller coaching, escalations, analytics	`/telecaller/dashboard`
Course Mentor	5	Teaching cohorts, grading, scheduling	`/mentor-dashboard`
Internship Mentor	6	Intern oversight, evaluations, reporting	`/internship-mentor/assignments`
Trainer	7	Program design, content authoring	`/dashboard` (trainer menu)
Admin	8	Governance, billing, configuration	`/admin`
TalentGro Team	9	Internal operations, super-admin tasks	`/admin` (extended scope)

Role-Based Dashboards

Dashboard Routing Architecture

Each role activates targeted dashboards and navigation patterns:

1. General Dashboard (`/dashboard`)

Accessible to: All authenticated users

Free & Paid Users: Overview, announcements, notifications, profile management.
Trainers & Internal Roles: Additional quick links, billing insights, and content shortcuts.

2. Assessment Hub (`/assessments/strength-finder`)

Accessible to: All authenticated users

AI-Powered Assessment: 180-question flow with validation safeguards.
Progress Tracking: Live scoring and completion guardrails.
Results Dashboard: PDF exports, recommended actions, sharing controls.

3. Learner Dashboard (`/learner-dashboard`)

Accessible to: Course Learners, Paid Users enrolled in premium courses

Course Progress: Enrollment status, module completion, certification badges.
Assignments: Submission lifecycle, mentor feedback, AI summaries.
Calendar: Schedule of live sessions, deadlines, and office hours.
Insights: Skill radar, upcoming milestones, recommended next steps.

4. Intern Dashboard (`/intern-dashboard`)

Accessible to: Interns

Daily Briefing: Assigned tasks, due dates, and mentor comments.
Announcements: Program-wide updates and internship notices.
Performance Analytics: Scorecards, attendance, and mentor evaluations.

5. Mentor Dashboard (`/mentor-dashboard`)

Accessible to: Course Mentors, Trainers with teaching privileges

Cohort Management: Enrollment curation, scheduling, content sequencing.
Assessment Review: Grading queues, rubric enforcement, AI suggestions.
Learner Profiles: Drill-down views with history and communication trails.
Analytics: Engagement ratios, completion rates, and risk alerts.

6. Internship Mentor Dashboard (`/internship-mentor`)

Accessible to: Internship Mentors

Intern Rosters: Status tracking across assignments and milestones.
Task Assignment: Daily task broadcasting with acknowledgement tracking.
Performance Views: Individual scorecards and comparative analytics.
Reporting: Export-ready summaries for program heads.

7. Admin Console (`/admin/*`)

Accessible to: Admins and TalentGro Team

User Lifecycle: Invitations, role assignment, and compliance reviews.
System Configuration: Feature toggles, environment controls, observability.
Financial Operations: Billing, coupons, invoices, and payment reconciliation.
Content Governance: Announcements, resource libraries, legal policy updates.

8. Student Portal (`/student-layout/*`)

Accessible to: University Students

Attendance: Automated check-ins with exportable records.
Resources: Access to syllabi, lecture recordings, and announcements.
Assignments: Submission pipelines mapped to academic schedules.
Feedback: Instructor comments, rubric outcomes, and escalation paths.

Permission Matrix

Feature Access by Role

Capability	Free User	Paid User	Course Learner	Intern	Telecaller	Mentors	Admin / TalentGro	University Student
Strength Finder	✅	✅	✅	✅	✅	✅	✅	✅
AI Resume Chat	❌	✅	✅	✅	❌	✅	✅	❌
Interview Prep	❌	✅	✅	✅	❌	✅	✅	❌
Course Marketplace	View only	✅	✅ (enrolled)	❌	❌	Author / Review	✅	Academic view
Internship Tools	❌	❌	❌	✅	❌	Internship mentors	✅	❌
Telecaller CRM	❌	❌	❌	❌	✅	❌	✅	❌
Teaching Suite	❌	❌	❌	❌	❌	✅	✅	❌
Admin Console	❌	❌	❌	❌	❌	❌	✅	❌
Student Portal	❌	❌	❌	❌	❌	❌	Management	✅

Route Protection System

Middleware Implementation

TalentG uses middleware and server actions to enforce route-level access:

// middleware.ts
export function middleware(request: NextRequest) {
  const { pathname } = request.nextUrl;
  const user = await getUserFromSession();

  // Public routes - no authentication required
  const publicRoutes = ['/', '/auth', '/announcements'];
  if (publicRoutes.some(route => pathname.startsWith(route))) {
    return NextResponse.next();
  }

  // Authentication required for all other routes
  if (!user) {
    return NextResponse.redirect(new URL('/auth/login', request.url));
  }

  // Role-based route protection
  const routePermissions = {
    '/admin': ['admin', 'talentgro_team'],
    '/intern-dashboard': ['intern'],
    '/mentor-dashboard': ['course_mentor', 'trainer'],
    '/internship-mentor': ['internship_mentor'],
    '/learner-dashboard': ['course_learner'],
    '/telecaller': ['telecaller', 'senior_telecaller', 'admin'],
    '/student-layout': ['university_student'],
  } as const;

  for (const [route, allowedRoles] of Object.entries(routePermissions)) {
    if (pathname.startsWith(route)) {
      if (!allowedRoles.includes(user.role)) {
        return NextResponse.redirect(new URL('/dashboard', request.url));
      }
    }
  }

  return NextResponse.next();
}

Route Access Patterns

Public Routes

/ — Landing
/auth/* — Authentication flows
/announcements — Public communication
/shared/* — Marketing and collateral assets

Authenticated Routes

/dashboard — All roles
/assessments/* — Assessment and analytics suite
/ai-resume-chat, /interview-questions — Paid learners and mentors
/intern-dashboard/* — Intern programs
/mentor-dashboard/* — Course mentors and trainers
/internship-mentor/* — Internship mentors
/telecaller/* — Telecaller and senior telecaller roles (admins inherit)
/admin/* — Admin and TalentGro Team
/student-layout/* — University student experiences

Database Security

Row Level Security (RLS) Policies

TalentG implements Supabase row-level security (RLS) policies to enforce data isolation:

-- User profile access
CREATE POLICY "Users can view own profile"
  ON public.profiles FOR SELECT
  USING (auth.uid() = id);

-- Assessment data access
CREATE POLICY "Users can access own assessments"
  ON public.strength_finder_assessments FOR ALL
  USING (auth.uid() = user_id);

-- Admin access to all profiles via roles mapping
CREATE POLICY "Admins can access all profiles"
  ON public.profiles FOR ALL
  USING (
    EXISTS (
      SELECT 1 FROM public.roles
      WHERE uid = auth.uid() AND role_id IN ('admin', 'talentgro_team')
    )
  );

Data Isolation

User Isolation — Learners and interns can only view their own records.
Role-Based Scopes — Mentors and telecallers view only assigned cohorts or lead pools.
Institution Boundaries — University data is partitioned by organization IDs.
Auditability — Immutable logs capture read/write activity for compliance.

Multi-Role User Support

Role Assignment Architecture

Users can have multiple roles simultaneously:

interface UserProfile {
  id: string;
  roles: UserRole[]; // Array of roles
  primaryRole: UserRole; // Main role for dashboard routing
  permissions: Permission[]; // Computed permissions
}

Smart Dashboard Routing

The system automatically routes users to the most appropriate dashboard:

Check primary role assignment
Evaluate permission levels for feature access
Route to appropriate dashboard based on role hierarchy
Provide cross-dashboard access for multi-role users

Permission Computation

Permissions are dynamically computed based on assigned roles:

function computePermissions(userRoles: UserRole[]): Permission[] {
  const permissions = new Set<Permission>();

  for (const role of userRoles) {
    const rolePermissions = ROLE_PERMISSIONS[role];
    rolePermissions.forEach(permission => permissions.add(permission));
  }

  return Array.from(permissions);
}

Feature Access Control

AI Features

Free Tier: Basic Strength Finder assessment
Pro Tier: AI Resume Chat, Interview Questions, Advanced Analysis
Enterprise: Custom AI models, Advanced analytics

Learning Features

Individual Learning: Course marketplace access
Structured Learning: University program enrollment
Mentorship: Direct mentor-student relationships

Administrative Features

User Management: Create, modify, deactivate users
Content Management: Announcements, resources, courses
Analytics Access: System-wide usage and performance metrics

Security Considerations

Authentication Security

Multi-provider OAuth: Google, GitHub integration
JWT Token Management: Secure token handling with rotation
Session Management: Secure session lifecycle management

Authorization Security

Principle of Least Privilege: Minimum required permissions
Role Separation: Clear separation between different user types
Audit Logging: Comprehensive access and action logging

Data Security

Encryption: Data at rest and in transit encryption
Access Controls: Fine-grained permission management
Compliance: GDPR and data protection compliance

Implementation Examples

Frontend Permission Checking

// Custom hook for permission checking
function usePermissions() {
  const { user } = useAuth();

  const hasPermission = (permission: Permission): boolean => {
    if (!user) return false;
    return user.permissions.includes(permission);
  };

  const hasRole = (role: UserRole): boolean => {
    if (!user) return false;
    return user.roles.includes(role);
  };

  return { hasPermission, hasRole };
}

// Component usage
function ProFeature() {
  const { hasPermission } = usePermissions();

  if (!hasPermission('ai_resume_chat')) {
    return <UpgradePrompt feature="AI Resume Chat" />;
  }

  return <AIResumeChat />;
}

Backend Route Protection

// API route protection
export async function GET(request: Request) {
  const { user, error } = await authenticateUser(request);

  if (error || !user) {
    return NextResponse.json({ error: 'Unauthorized' }, { status: 401 });
  }

  // Check specific permissions
  if (!user.roles.includes('admin')) {
    return NextResponse.json({ error: 'Insufficient permissions' }, { status: 403 });
  }

  // Proceed with admin operation
  const data = await getAdminData();
  return NextResponse.json(data);
}

Role Management

Dynamic Role Assignment

Admins can assign and modify user roles through the admin panel:

Role Changes: Immediate permission updates
Audit Logging: All role changes are logged
Notification System: Users notified of role changes
Graceful Transitions: Smooth transition between roles

Role Lifecycle

Role Assignment: Initial role assignment during onboarding
Role Verification: Periodic review and validation
Role Modification: Updates based on user progression
Role Deactivation: Proper cleanup when roles are removed

Testing Role-Based Access

Automated Testing

describe('Role-Based Access Control', () => {
  test('admin can access all routes', async () => {
    const adminUser = await createTestUser('admin');
    const response = await request('/admin/users').auth(adminUser.token);
    expect(response.status).toBe(200);
  });

  test('intern cannot access mentor routes', async () => {
    const internUser = await createTestUser('intern');
    const response = await request('/mentor-dashboard').auth(internUser.token);
    expect(response.status).toBe(403);
  });
});

Manual Testing Checklist

All public routes accessible without authentication
Role-specific routes properly protected
Multi-role users can access appropriate dashboards
Permission checks work correctly in components
API routes properly validate permissions
Database RLS policies prevent unauthorized access

This comprehensive role-based access control system ensures that TalentG provides appropriate functionality to each user type while maintaining security, performance, and user experience.

Getting started

Project

Concepts

How-to

​User Roles & Access Control

​Role Architecture

​Core Role System

​Role-Based Dashboards

​Dashboard Routing Architecture

​1. General Dashboard (/dashboard)

​2. Assessment Hub (/assessments/strength-finder)

​3. Learner Dashboard (/learner-dashboard)

​4. Intern Dashboard (/intern-dashboard)

​5. Mentor Dashboard (/mentor-dashboard)

​6. Internship Mentor Dashboard (/internship-mentor)

​7. Admin Console (/admin/*)

​8. Student Portal (/student-layout/*)

​Permission Matrix

​Feature Access by Role

​Route Protection System

​Middleware Implementation

​Route Access Patterns

​Public Routes

​Authenticated Routes

​Database Security

​Row Level Security (RLS) Policies

​Data Isolation

​Multi-Role User Support

​Role Assignment Architecture

​Smart Dashboard Routing

​Permission Computation

​Feature Access Control

​AI Features

​Learning Features

​Administrative Features

​Security Considerations

​Authentication Security

​Authorization Security

​Data Security

​Implementation Examples

​Frontend Permission Checking

​Backend Route Protection

​Role Management

​Dynamic Role Assignment

​Role Lifecycle

​Testing Role-Based Access

​Automated Testing

​Manual Testing Checklist