v14.7.0 is here — AI-generated sub-tasks, epics & task links, plus a smoother first-run setup.See what’s new →
Permissions & security

Who can do what? Exactly what you allow.

Role-based access with 40+ dynamic permissions and custom roles — on a platform the cloud tools can’t copy, because it runs on your server. Control down to the last toggle, ownership down to the last byte.

40+ dynamic permissionsCustom roles includedFree on every plan

Granular RBAC

40+ permissions, zero “upgrade to unlock”

Other tools gate real access control behind the enterprise tier. AlianHub ships every toggle standard — dynamic, per company, applied live.

  • Down to the verbWho can delete a task, export a timesheet, archive a project — every action is its own toggle, not a bundle you take or leave.
  • Dynamic, not hard-codedFlip a toggle and it applies instantly — no redeploy, no support ticket. Socket.io pushes the change to every open session.
  • Scoped per companyEach company on your install carries its own permission set. Your agency clients never share a rulebook.
  • Standard on every planFull RBAC ships free — self-hosted or cloud. It’s not an add-on; it’s the floor.
Browse the full permission list in the docs
Custom roles

Build roles shaped like your team

Preset roles ship out of the box. Custom roles cover everyone in between — contractors, clients, and the intern you mostly trust.

  • Start from a presetClone the role that’s closest, then flip only what’s different. A contractor role takes about a minute.
  • Fits the in-betweensContractors who log time but can’t delete. Clients who comment but can’t edit. Exactly the access each team needs — no more, no less.
  • Applies liveEveryone holding the role gets the new rules the moment you save — real-time sync keeps every session honest.
  • Per company, like everything else“Contractor” at Acme and “Contractor” at Northwind can mean two different rulebooks — on the same install.
Security by architecture

The most secure cloud is your own server

Self-hosting isn’t a deployment option here — it’s the security model. Your data lives in your MongoDB, behind your firewall, in code you can audit line by line.

  • Data that never leavesTasks, comments, attachments, timesheets — all of it stays in your MongoDB and your storage: local disk or an S3-compatible bucket like Wasabi.
  • Auditable AGPL sourceNo black-box auth. Read the middleware, diff every release, and report anything you find through SECURITY.md on GitHub.
  • You hold the signing keysSessions are JWT-based, signed with the JWT_SECRET you set at install. Rotate it on your schedule, not a vendor’s.
  • Optional by designSMTP, Firebase, and AI providers connect only if you add them — your keys, your call. The install wizard makes each one a choice, not a default.
Per-company settings

One install, every company its own rulebook

Run several companies from a single deployment. Roles, permissions, currency, language — each one is set per company, not per install.

  • Separate rulebooksAcme’s Manager isn’t Northwind’s Manager. Roles and all 40+ permissions are configured company by company.
  • Multi-currencyBudgets and money fields in dollars here, euros there — each company keeps books in its own currency.
  • Speaks the local languageThe interface is multi-language (vue-i18n), so each team works in its own words — on the same box.
  • One box to maintainOne Docker deployment, one upgrade path — and per-company settings for everything else.
Own your access control

Your rules. Your roles. Your server.

Spin up AlianHub with one Docker Compose command tonight — 40+ permissions and custom roles included, free forever, unlimited users.

Need single sign-on or a custom security integration? Alian Software builds custom features on request — or see what free forever includes.