Roles and Permissions

Roles and permissions in Sederly provide granular control over what users can access and modify. This comprehensive guide covers everything from basic role assignment to advanced permission configuration.

## Understanding Roles and Permissions ### Role-Based Access Control (RBAC) Sederly uses a role-based access control system where: - **Roles** define a set of permissions for specific job functions - **Permissions** control access to specific features and data - **Users** are assigned roles that determine their system access - **Inheritance** allows roles to build upon other roles ### Permission Categories #### Core System Areas: - **Orders**: Create, view, edit, delete orders - **Customers**: Manage customer information and history - **Products**: Handle inventory and product catalog - **Reports**: Access various business reports and analytics - **Settings**: Modify system configuration - **Users**: Manage user accounts and permissions #### Permission Levels: - **None**: No access to the feature - **View**: Read-only access to information - **Create**: Can add new records - **Edit**: Can modify existing records - **Delete**: Can remove records - **Full**: Complete access including administrative functions ## Standard User Roles ### Organization Owner #### Permissions Include: - **All System Features**: Access to every feature and function - **User Management**: Create, edit, delete user accounts - **Billing Management**: Access to subscription and payment settings - **System Configuration**: Modify all system settings - **Data Export**: Export all business data - **Security Settings**: Configure security policies - **Integration Management**: Set up and manage integrations #### Responsibilities: - Overall system administration - User account management - Security policy enforcement - Billing and subscription management - Strategic system configuration ### Manager Role #### Permissions Include: - **Order Management**: Full order creation, editing, and processing - **Customer Management**: Complete customer database access - **Product Management**: Inventory and catalog management - **Staff Supervision**: Manage assigned staff members - **Reporting**: Access to all operational reports - **Branch Management**: Control over assigned branches - **Payment Processing**: Handle refunds and payment issues #### Typical Use Cases: - Store managers - Department heads - Operations supervisors - Regional managers ### Staff Role #### Permissions Include: - **Order Processing**: Create and process customer orders - **Customer Service**: Access customer information and history - **Basic Reporting**: View daily sales and performance reports - **Product Lookup**: Search and view product information - **Payment Processing**: Handle standard payment transactions - **Receipt Generation**: Print and email receipts #### Limitations: - Cannot modify system settings - Limited access to financial reports - Cannot manage other users - Cannot process refunds without approval ### Accountant Role #### Permissions Include: - **Financial Reporting**: Access to all financial reports - **Transaction History**: View all payment and order data - **Tax Reporting**: Generate tax-related reports - **Export Capabilities**: Export financial data - **Audit Trail**: Access to system audit logs - **Read-Only Access**: View-only access to most data #### Restrictions: - Cannot create or modify orders - Cannot change customer information - Cannot access user management - Cannot modify system settings ## Custom Role Creation ### Creating Custom Roles #### Custom Role Process: 1. **Navigate to Roles**: Go to Settings > Roles & Permissions 2. **Create New Role**: Click "Create Custom Role" 3. **Name the Role**: Provide descriptive role name 4. **Select Base Role**: Choose starting point (optional) 5. **Configure Permissions**: Set specific permissions 6. **Test Role**: Assign to test user and verify access 7. **Deploy Role**: Assign to appropriate users #### Permission Configuration: For each system area, set: - **Access Level**: None, View, Create, Edit, Delete, Full - **Data Scope**: All data, branch-specific, user-specific - **Time Restrictions**: Business hours only, specific days - **Approval Requirements**: Require manager approval for certain actions ### Common Custom Roles #### Sales Associate: - **Orders**: Create, edit (own orders only) - **Customers**: View, create, edit basic information - **Products**: View, search - **Reports**: Basic sales reports - **Payments**: Process standard payments #### Inventory Manager: - **Products**: Full access to product catalog - **Inventory**: Complete inventory management - **Orders**: View for inventory impact - **Reports**: Inventory and product reports - **Suppliers**: Manage supplier information #### Customer Service Representative: - **Customers**: Full customer management - **Orders**: View, edit for service issues - **Returns**: Process returns and exchanges - **Reports**: Customer service reports - **Communication**: Send customer notifications ## Permission Management ### Granular Permission Control #### Order Permissions: - **Create Orders**: Can create new orders - **Edit Orders**: Can modify existing orders - **Delete Orders**: Can remove orders - **Process Payments**: Can handle payment processing - **Issue Refunds**: Can process refunds - **View All Orders**: Can see orders from all users - **Export Orders**: Can export order data #### Customer Permissions: - **Create Customers**: Can add new customers - **Edit Customers**: Can modify customer information - **Delete Customers**: Can remove customer records - **View Customer History**: Can see purchase history - **Export Customers**: Can export customer data - **Merge Customers**: Can combine duplicate records #### Product Permissions: - **Create Products**: Can add new products - **Edit Products**: Can modify product information - **Delete Products**: Can remove products - **Manage Inventory**: Can adjust stock levels - **Set Pricing**: Can modify product prices - **Manage Categories**: Can organize product categories ### Branch-Specific Permissions #### Multi-Branch Access Control: - **Branch Assignment**: Which branches user can access - **Permission Scope**: Different permissions per branch - **Data Isolation**: Restrict data access by branch - **Cross-Branch Reporting**: Access to multi-branch reports - **Transfer Permissions**: Can transfer data between branches #### Branch Permission Levels: - **Full Access**: Complete control over branch operations - **Operational Access**: Day-to-day operations without settings - **View Only**: Read-only access to branch data - **Reporting Access**: Can generate branch reports - **No Access**: Cannot access branch data ## Security Considerations ### Security Best Practices #### Access Control Principles: - **Principle of Least Privilege**: Give minimum necessary access - **Separation of Duties**: Divide critical functions among multiple users - **Regular Access Reviews**: Quarterly review of user permissions - **Role-Based Assignment**: Use roles rather than individual permissions - **Audit Trail**: Monitor permission changes and access patterns #### Permission Auditing: - **Access Logs**: Track who accessed what and when - **Permission Changes**: Log all role and permission modifications - **Failed Access Attempts**: Monitor unauthorized access attempts - **Regular Reviews**: Scheduled permission audits - **Compliance Reporting**: Generate compliance reports ### Common Security Risks #### Permission Creep: - **Gradual Expansion**: Permissions accumulate over time - **Role Changes**: Permissions not updated when roles change - **Temporary Access**: Temporary permissions become permanent - **Shared Accounts**: Multiple people using same account #### Mitigation Strategies: - **Regular Cleanup**: Remove unnecessary permissions - **Role Transitions**: Update permissions when roles change - **Time-Limited Access**: Set expiration dates for temporary access - **Individual Accounts**: Ensure each person has unique account ## Implementation Guidelines ### Rolling Out Role Changes #### Change Management Process: 1. **Plan Changes**: Document proposed role modifications 2. **Test Thoroughly**: Test changes in non-production environment 3. **Communicate**: Inform affected users about changes 4. **Implement Gradually**: Roll out changes in phases 5. **Monitor Impact**: Watch for issues after implementation 6. **Gather Feedback**: Collect user feedback on changes 7. **Adjust as Needed**: Make refinements based on feedback #### Training and Support: - **Role Training**: Train users on their new permissions - **Documentation**: Update user guides and procedures - **Support Availability**: Provide extra support during transition - **Feedback Channels**: Create ways for users to report issues ## Troubleshooting ### Common Permission Issues #### Access Denied Problems: - **Check Role Assignment**: Verify user has correct role - **Review Permissions**: Confirm role has necessary permissions - **Branch Access**: Ensure user can access required branches - **Session Issues**: Try logging out and back in - **Cache Problems**: Clear browser cache #### Permission Conflicts: - **Multiple Roles**: Conflicts between different assigned roles - **Inheritance Issues**: Problems with role inheritance - **Branch Conflicts**: Different permissions across branches - **Time Restrictions**: Access outside allowed time periods ### Getting Help #### Support Resources: - **Permission Documentation**: Detailed permission guides - **Role Templates**: Pre-configured role examples - **Security Consultation**: Expert advice on access control - **Implementation Support**: Help with complex role deployments ## Quick Reference ### Permission Levels - **None**: No access - **View**: Read-only access - **Create**: Can add new records - **Edit**: Can modify existing records - **Delete**: Can remove records - **Full**: Complete administrative access ### Standard Roles Summary - **Owner**: Complete system access - **Manager**: Operational management - **Staff**: Front-line operations - **Accountant**: Financial data access