App Access Control
Control which applications (web, desktop, mobile) users can access
App Access Control lets organization admins restrict which Z8 applications users can access inside a specific organization. This is useful for compliance, security policies, or staged rollout by role.
Understanding App Access
These restrictions are organization-scoped. A user can be allowed in one organization and restricted in another.
Z8 offers multiple applications:
| Application | Description | Default Access |
|---|---|---|
| Web App | Full-featured browser application | Enabled |
| Desktop App | Lightweight time tracking widget | Enabled |
| Mobile App | Native mobile companion | Enabled |
By default, all users can access all applications. Administrators can restrict access per user.
Use Cases
Security Compliance
- Contractors: Restrict to web-only to maintain oversight
- Sensitive roles: Disable mobile to prevent off-premises access
- BYOD restrictions: Limit desktop app to company devices
Role-Based Access
- Field workers: Mobile-only for on-site time tracking
- Office staff: Web and desktop, no mobile needed
- Remote workers: Full access to all applications
Temporary Restrictions
- Onboarding: Start with web-only, expand later
- Investigation: Temporarily restrict access during reviews
- Transitions: Limit access during role changes
Managing User Access
App access is currently managed through the employee detail settings surface.
Employee Detail Flow
- Go to Employees in the sidebar
- Click on the employee's profile
- Open the App Access Permissions section
- Toggle access for each application:
- Web Application
- Desktop Application
- Mobile Application
- Save the employee changes
Access Behavior
When Access is Granted
- User can log in to the application
- All features available based on their role
- Normal session management applies
When Access is Denied
- User attempts to access the application
- System detects the app type from the request
- Access check fails
- User sees the "Access Denied" page
- Audit log entry created
Clear Messaging
Denied users see a clear message explaining which application they cannot access and are advised to contact their administrator.
Access Enforcement
The system detects which application is making the request and validates the matching permission for the active organization.
| Detection Method | App Type |
|---|---|
| Cookie authentication | Web App |
Bearer token + X-Z8-App-Type: mobile | Mobile App |
Bearer token + X-Z8-App-Type: desktop | Desktop App |
| Bearer token without explicit app header | Legacy fallback based on user agent |
Native App Requests
Mobile-only API routes require both a bearer token and X-Z8-App-Type: mobile. Older shared routes can still fall back to user-agent detection for legacy non-web clients.
Per-organization enforcement
Restricting mobile, desktop, or web access affects the current organization only. It does not change access in other organizations the same user belongs to.
Audit Logging
All access control events are logged:
Access Changes
When permissions are modified:
- Who made the change
- Which user was affected
- Which app access changed
- Previous and new values
- Timestamp
Access Denials
When access is denied:
- User who was denied
- Which app they tried to access
- IP address
- User agent
- Timestamp
Access audit logs in Settings > Audit Logs and filter by "App Access".
Default Settings
New Employees
New employees receive full access to all applications by default.
Invited Users
Invited users receive the default app permissions for the organization. Review their access after they join if your policy requires tighter restrictions.
Deactivated Employees
Deactivating an employee revokes all access. App access settings are preserved if the employee is later reactivated.
Integration with Other Features
Session Management
- Changing app access doesn't terminate existing sessions
- User will be denied on their next API request
- Consider manually revoking sessions for immediate effect
Two-Factor Authentication
- 2FA requirements apply regardless of app access
- Users must complete 2FA on allowed applications
- Denied apps don't bypass 2FA
Organization Switching
- App access is checked per organization
- Users may have different access in different organizations
- Switching organizations re-validates access
Best Practices
Principle of Least Privilege
Only grant access to applications users actually need.
Document Policies
Create clear policies about who gets access to which apps:
- By role
- By department
- By employment type
Regular Reviews
Periodically review employee access in the employee settings screens and adjust permissions as roles or device policies change.
Communicate Changes
When restricting access:
- Notify affected users in advance
- Explain the reason
- Provide alternative access methods if available
- Update documentation
Troubleshooting
User reports "Access Denied" unexpectedly
- Check their app access settings in employee profile
- Verify they're accessing the correct organization
- Check audit logs for recent permission changes
- Ensure their account is active
Access changes not taking effect
- User may have cached session
- Ask them to log out and back in
- Check if they're using the correct app
- Verify the change was saved
Can't modify user's access
- Verify you have admin permissions
- Confirm you are editing the employee detail page for the correct person
- Save the form after changing the switches
- Contact support if issues persist