The access control system used by Flight School Booking is based on role-based permissions. Until recently, these permissions were set up by us and could not be viewed or changed by anyone. But we've exposed just under 100 of them to system owners to give more control over who can do what. They're all found under the various main features under Admin.
As an example, the permissions tab for Booking out settings is shown below:
Note: I have already added a new group (or Role) named "Examiners". These users can book out as PIC and also when the system would treat them as out of currency. This is because they fly elsewhere and take responsibility for maintaining it themselves.
The Owner role is granted all permissions and is not shown in the table. Only the owner can view and change the permissions, this is not available to any other built-in roles. If you did want to allow someone trusted to change the permissions, you can create a new role (e.g. Security staff) and assign this role the permission "Administer permissions". Then, for your most trusted staff, add them to the roles Office staff and Security staff.
There are blank cells where I think it makes no sense to grant permission, for example the Accountant role does not need to book out. If your accountant is also a pilot, they will be given the Renter or Student role in addition to Accountant.
Where permissions have been changed from the designed default, the cell is highlighted in amber. This doesn't mean anything is wrong, it just draws your attention to the fact that the permissions have been changed. The Reset to defaults button will reset everything if you want to get back to the initial settings.
As another example, here are the permissions under Admin > Basic settings.
In this example, the instructor is not allowed to add new users. Only office staff (and the system owner) have permission in this system.
When permissions are changed, the event log (under Admin > Event log) records which permission changed and who changed it.