Roles & permissions
You decide who can do what
Roles are yours to shape: give each one exactly the permissions that match how your agency works. Every action in the platform asks for a permission, so anyone granted nothing can do nothing. Closed by default.
Roles you compose yourself
Create as many roles as you need and give each one exactly the permissions you pick from a fixed catalog. A person can hold several roles; what they may do is the sum of all their roles together. Permissions are named the same way everywhere (module.resource.action), so the list stays readable as it grows.
Closed by default
Every route in the platform asks for a permission. A route that declares none fails the build, so no door is ever left accidentally open. The interface shows you only what you may do, but the real boundary is the API, not a hidden button.
Own or any
Some permissions carry a scope: own or any. Someone writes their own hours (time.entry.write:own) without touching a colleague's. 'Own' means the row belongs to that person; for a task, that is whoever it is assigned to. A permission for 'any' always covers 'own' as well.
Four roles to build on
Four roles are there from the start: owner, admin, member and client. Owner holds every permission and can be neither edited nor deleted, so a mistake made anywhere else stays fixable. The other three are freely editable or duplicable; admin carries a full, explicit list rather than a wildcard, precisely so you can narrow it.
- owner: every permission, fixed and undeletable
- admin, member and client: key locked, permissions open
- The last role that can manage the agency cannot be removed
Managed in one place
You set everything up under Settings → Roles: create roles, tick permissions, assign them to people. Turn on a module later and it brings its own permissions, granted to your system roles once. Every change to a role is recorded, so you can see who changed what.
Want to know more?
The documentation describes every module in detail, from installation to permissions.