Who can do what? Exactly what you allow.
Role-based access with 40+ dynamic permissions and custom roles — on a platform the cloud tools can’t copy, because it runs on your server. Control down to the last toggle, ownership down to the last byte.
40+ dynamic permissionsCustom roles includedFree on every plan
40+ permissions, zero “upgrade to unlock”
Other tools gate real access control behind the enterprise tier. AlianHub ships every toggle standard — dynamic, per company, applied live.
- Down to the verbWho can delete a task, export a timesheet, archive a project — every action is its own toggle, not a bundle you take or leave.
- Dynamic, not hard-codedFlip a toggle and it applies instantly — no redeploy, no support ticket. Socket.io pushes the change to every open session.
- Scoped per companyEach company on your install carries its own permission set. Your agency clients never share a rulebook.
- Standard on every planFull RBAC ships free — self-hosted or cloud. It’s not an add-on; it’s the floor.
Build roles shaped like your team
Preset roles ship out of the box. Custom roles cover everyone in between — contractors, clients, and the intern you mostly trust.
- Start from a presetClone the role that’s closest, then flip only what’s different. A contractor role takes about a minute.
- Fits the in-betweensContractors who log time but can’t delete. Clients who comment but can’t edit. Exactly the access each team needs — no more, no less.
- Applies liveEveryone holding the role gets the new rules the moment you save — real-time sync keeps every session honest.
- Per company, like everything else“Contractor” at Acme and “Contractor” at Northwind can mean two different rulebooks — on the same install.
The most secure cloud is your own server
Self-hosting isn’t a deployment option here — it’s the security model. Your data lives in your MongoDB, behind your firewall, in code you can audit line by line.
- Data that never leavesTasks, comments, attachments, timesheets — all of it stays in your MongoDB and your storage: local disk or an S3-compatible bucket like Wasabi.
- Auditable AGPL sourceNo black-box auth. Read the middleware, diff every release, and report anything you find through SECURITY.md on GitHub.
- You hold the signing keysSessions are JWT-based, signed with the
JWT_SECRETyou set at install. Rotate it on your schedule, not a vendor’s. - Optional by designSMTP, Firebase, and AI providers connect only if you add them — your keys, your call. The install wizard makes each one a choice, not a default.
JWT_SECRET=••••••••••••set by you at installOne install, every company its own rulebook
Run several companies from a single deployment. Roles, permissions, currency, language — each one is set per company, not per install.
- Separate rulebooksAcme’s Manager isn’t Northwind’s Manager. Roles and all 40+ permissions are configured company by company.
- Multi-currencyBudgets and money fields in dollars here, euros there — each company keeps books in its own currency.
- Speaks the local languageThe interface is multi-language (vue-i18n), so each team works in its own words — on the same box.
- One box to maintainOne Docker deployment, one upgrade path — and per-company settings for everything else.