The right people see the right things — automatically

ArkanPM combines eleven built-in roles with attribute-based scoping, building-level assignments, and financial data masking to deliver context-aware authorization without manual configuration.

Role matrix view showing built-in roles, permissions, and building assignments

Interface preview

Most PM systems leak data — roles are too broad, or permissions are too manual

1Building managers see work orders from buildings they don't manage because role filtering is application-level only.
2Technicians accidentally view purchase prices, vendor contract values, and other financial data meant only for management.
3Custom roles require building a permission matrix from scratch every time, leading to misconfigurations that go unnoticed for months.
4Temporary contractor or seasonal staff keep access forever because assignments have no expiration date.
5A role misconfiguration lets a building manager escalate to admin — the system trusts the role flag without enforcing the hierarchy.

The Solution

Arkan Role-Based & Attribute-Based Access Control Capabilities

Eleven built-in roles, precisely scoped

Super Admin, Platform Admin, Tenant Admin, Facility Manager, Building Manager, Maintenance Technician, Inspector, Vendor User, Owner, Resident, and Read-Only — each with a defined access scope out of the box.

Role definitions ship in the platform — no upfront configuration required to start operating.

Attribute-based filtering that just works

The ABAC guard evaluates contextual attributes on every request. A building manager querying work orders receives results automatically filtered to their assigned buildings — no custom rule authoring required.

Context attributes include user's building assignments, ownership records, and role hierarchy level.

Building-scoped assignments with expiration

Assign users to specific buildings with temporal scoping — set an expiration date on every assignment. Building managers inherit access to all resources within their assigned buildings automatically.

Financial data masking by role

Technicians and operational staff never see cost fields, purchase prices, or financial data. The API strips sensitive financial information based on the requester's role before it ever leaves the server.

Custom roles with permission matrices

Create organization-specific roles with fine-grained permissions across modules (portfolio, assets, maintenance, inspections, vendors, inventory, residents, owners) and actions (create, read, update, delete, manage, approve).

Why Arkan?

Technical Comparison

See how Arkan outperforms traditional solutions

Feature

Arkan

Traditional

Authorization model

RBAC plus attribute-based scoping enforced at the API layer

Role checks only, with manual filtering in application code

Building assignments

Temporal assignments with expiration dates

Permanent assignments until manually revoked

Financial field protection

Server-side field stripping based on role

Client-side hiding that still sends data over the wire

Privilege escalation prevention

Role hierarchy enforced — cannot perform actions above level

Trusts the role flag without hierarchy validation

How It Works

Simple 6-Step Process

Users are assigned a system role on creation from the eleven built-in roles, or a custom role defined for the tenant.

Admins assign users to specific buildings with optional expiration dates for temporal scoping.

On every API request, the RBAC guard checks the role's permission matrix for the requested action.

The ABAC guard layers on top, filtering results to match the user's building assignments and ownership records.

Financial fields are stripped from the response based on the role — technicians never receive cost data.

Role hierarchy enforcement prevents privilege escalation — users cannot perform actions above their hierarchy level.

Key Benefits

Measurable Impact

Built-in roles

11 roles

From Super Admin to Read-Only, with every operational role in between — no upfront configuration required.

Authorization layers

RBAC + ABAC

Role checks combined with context-aware attribute filtering — two layers, one consistent policy.

Financial protection

Role-scoped masking

Costs, purchase prices, and financial fields stripped from API responses for non-financial roles.

“Our building managers used to see work orders from every property because our old system only filtered by tenant. With ArkanPM, the access scope follows the building hierarchy automatically — and technicians no longer see cost fields they shouldn't.”

Security & Compliance Lead

GCC Multi-Building Operator

Built For

Who Benefits

Tenant Admin

Provisions users, assigns roles, and defines custom roles with module-level permissions.

Facility Manager

Operates across multiple buildings with full operational permissions but no tenant administration.

Building Manager

Sees work orders, assets, and operations scoped to assigned buildings — nothing from other buildings leaks in.

Maintenance Technician

Works on assigned work orders without ever seeing costs, purchase prices, or financial fields.

Vendor User

Accesses only work orders assigned to their own company — no cross-vendor visibility.

Works seamlessly with other ArkanPM modules

Role-Based & Attribute-Based Access Control integrates with Unified Portfolio Hierarchy, Audit Trail & Compliance, Multi-Tenant Architecture and more for a complete property management platform.

Ready to Get Started with Role-Based & Attribute-Based Access Control?

See how role-based & attribute-based access control can transform your property operations.

Bilingual EN / ARExpert implementationAll 16 modules

Related Features

Explore other features that work great with Role-Based & Attribute-Based Access Control