Offline Sync & Infrastructure

Security & Role-Based Access Control

Security is at the heart of Kononia. We implement multi-layered security controls to ensure that member profiles, financial registers, and pastoral notes are protected, visible only to authorized users, and isolated between parishes.

Security & Role-Based Access Control

Security is at the heart of Kononia. We implement multi-layered security controls to ensure that member profiles, financial registers, and pastoral notes are protected, visible only to authorized users, and isolated between parishes.

1. The 7-Layer Role Hierarchy

The platform uses a role-based access control (RBAC) model, consisting of seven primary access levels:

  1. Diocesan Super Admin: Manages the multi-parish directory, diocesan announcements, and regional statistics.
  2. Parish Admin: Exercises complete control over local settings, member directories, custom forms, financial budgets, and user accounts.
  3. Confession Father / Priest: Views pastoral care histories, schedules confessions, logs sacraments, and manages parish service rosters.
  4. Service Leader: Coordinates specific ministries (e.g., choir directors or usher captains), schedules volunteers, and outlines worship flows.
  5. Sunday School Teacher: Records student attendance, updates lesson plans, and updates curriculum progress checklists.
  6. Active Member: Accesses their member portal to edit household profiles, make donations, check volunteer shifts, and participate in chat channels.
  7. Guest / Visitor: Submits public forms (e.g., event RSVPs or volunteer interest), with minimal, isolated directory permissions.

2. Dynamic Access Inheritance

Roles are applied dynamically, depending on the context:

  • Ministry & Group Roles: A user can be a basic “Member” in the general parish directory, but hold a “Service Leader” role within their youth group, granting them scheduling rights only for that group.
  • Access Level Audits: When a user attempts to view a page, the platform verifies their permissions through a real-time validation pipeline.

3. Strict Parish Isolation

In our multi-tenant setup, data security between churches is strictly enforced:

  • Isolated Parish Vaults: Every database query is automatically filtered by the organization’s unique ID.
  • Zero Cross-Parish Leakage: It is impossible for a user or administrator from Parish A to view, search, or modify any records belonging to Parish B.
  • Confidential Care Notes: Sensitive pastoral logs and confession lists are additional-secured, restricted only to the member’s assigned priest or shepherd.