Roles & Permissions
QoBooks features a comprehensive, hierarchical permission system that allows fine-grained control over what users can access and perform within the system.
Permission System Overview
Hierarchical Structure
- Super Admin: Full system access across all organizations
- Organization Admin: Full access within their organization
- Branch Admin: Full access within assigned branches
- Custom Roles: Configurable permissions based on business needs
- User: Limited access based on assigned role
Permission Categories
- View Permissions: Ability to view data and reports
- Create Permissions: Ability to add new records
- Edit Permissions: Ability to modify existing records
- Delete Permissions: Ability to remove records
- Approve Permissions: Ability to approve workflows
- Export Permissions: Ability to export data
Default Roles
Super Administrator
- Access: All organizations, all modules, all features
- Capabilities:
- Create and manage organizations
- Manage all users across system
- Configure system-wide settings
- Access all reports and analytics
- Perform database operations
- Use Case: System administrators and platform owners
Organization Administrator
- Access: All modules within their organization
- Capabilities:
- Manage organization settings
- Create and manage branches
- Manage users within organization
- Configure roles and permissions
- Access all organization reports
- Manage subscriptions and billing
- Use Case: Business owners and IT managers
Branch Manager
- Access: All modules within assigned branches
- Capabilities:
- Manage branch settings
- Manage branch inventory
- Process sales and purchases
- Manage branch staff
- Access branch reports
- Approve branch-level workflows
- Use Case: Store managers and location supervisors
Sales Staff
- Access: Sales module within assigned branches
- Capabilities:
- Create sales orders and invoices
- Manage customers
- Process payments
- View sales reports
- Print receipts
- Use Case: Sales representatives and cashiers
Purchasing Staff
- Access: Purchases module within assigned branches
- Capabilities:
- Create purchase orders
- Manage suppliers
- Receive goods (GRN)
- Process supplier payments
- View purchase reports
- Use Case: Procurement officers and buyers
Inventory Manager
- Access: Inventory module within assigned branches
- Capabilities:
- Manage items and categories
- Perform stock adjustments
- Process stock transfers
- View inventory reports
- Manage stock levels
- Use Case: Warehouse managers and inventory controllers
Accountant
- Access: Financial module within assigned branches
- Capabilities:
- Manage chart of accounts
- Record expenses
- Process bank transactions
- Reconcile accounts
- Access financial reports
- Use Case: Accountants and finance staff
Viewer (Read-Only)
- Access: View-only access to assigned modules
- Capabilities:
- View data and reports
- Export data (if permitted)
- No create/edit/delete permissions
- Use Case: Executives, auditors, and external consultants
Creating Custom Roles
Role Creation Process
-
Navigate to Role Management
- Go to Settings > Users & Security > Roles
- Click "Create New Role"
-
Define Role Details
- Role name (e.g., "Regional Manager")
- Role description
- Parent role (for inheritance)
- Branch assignments
-
Configure Permissions
- Select modules to grant access
- Set permission levels (View, Create, Edit, Delete)
- Configure workflow approval permissions
- Set data export permissions
-
Save and Assign
- Save the role configuration
- Assign role to users
- Users inherit permissions immediately
Permission Matrix
The permission system uses a grid-based matrix for granular control:
| Module | View | Create | Edit | Delete | Approve | Export |
|---|---|---|---|---|---|---|
| Sales | ✓ | ✓ | ✓ | ✗ | ✓ | ✓ |
| Purchases | ✓ | ✓ | ✓ | ✗ | ✓ | ✓ |
| Inventory | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Financial | ✓ | ✓ | ✓ | ✗ | ✓ | ✓ |
| Reports | ✓ | ✗ | ✗ | ✗ | ✗ | ✓ |
| Settings | ✓ | ✓ | ✓ | ✗ | ✗ | ✗ |
Assigning Roles
Single User Assignment
- Navigate to User Management
- Select the user
- Click "Edit Roles"
- Select roles to assign
- Save changes
Bulk Assignment
- Navigate to User Management
- Select multiple users
- Click "Assign Roles"
- Select role to assign
- Apply to selected users
Branch-Specific Roles
- Roles can be restricted to specific branches
- Users with branch-specific roles only access assigned branches
- Useful for multi-branch organizations
- Configured during role assignment
Permission Inheritance
Hierarchical Inheritance
- Child roles inherit permissions from parent roles
- Can add additional permissions to child roles
- Cannot remove inherited permissions
- Simplifies role management
Example Hierarchy
Organization Admin (Parent)
├── Branch Manager (Child)
│ ├── Sales Manager (Grandchild)
│ └── Inventory Manager (Grandchild)
└── Accountant (Child)Workflow Permissions
Approval Workflows
- Certain actions require approval based on role
- Configurable approval chains
- Multi-level approval support
- Automatic routing based on permissions
Common Approval Scenarios
- Large purchase orders
- Stock adjustments above threshold
- Discount approvals
- Credit note approvals
- Expense approvals
Data Access Control
Organization-Level
- Users can only access data within their organization
- Cross-organization data isolation
- Enforced at database level
- Prevents data leakage
Branch-Level
- Multi-branch organizations can restrict by branch
- Users see only assigned branch data
- Configurable per role
- Useful for distributed operations
Field-Level
- Sensitive fields can be hidden based on role
- Examples: Cost prices, margins, supplier details
- Configured in role settings
- Maintains data confidentiality
Auditing and Compliance
Permission Changes
- All permission changes are logged
- Audit trail includes:
- Who made the change
- When the change was made
- What permissions were modified
- Reason for change (if provided)
Access Logs
- User access attempts logged
- Failed access attempts flagged
- Geographic location tracking
- Device information recorded
Compliance Reporting
- Generate permission audit reports
- Export access logs
- Review user activity
- Identify security risks
Best Practices
Role Design
- Use principle of least privilege
- Create roles based on job functions
- Avoid overly broad permissions
- Regularly review and update roles
- Document role purposes
User Management
- Assign appropriate roles immediately
- Remove roles when job functions change
- Regularly audit user permissions
- Deactivate unused accounts
- Use temporary roles for special projects
Security
- Enable MFA for admin roles
- Regular permission audits
- Monitor for permission abuse
- Implement IP restrictions for sensitive roles
- Train users on security best practices
Troubleshooting
User Cannot Access Module
- Verify role has module permission
- Check branch assignments
- Ensure user is active
- Clear browser cache
- Contact administrator
Permission Changes Not Taking Effect
- User may need to log out and log back in
- Check for permission inheritance conflicts
- Verify role is properly saved
- Check browser for cached permissions
- Contact support if issue persists
Cannot Create Custom Role
- Verify you have admin permissions
- Check if role name already exists
- Ensure parent role exists (if specified)
- Contact super admin if needed
User Sees Unauthorized Data
- Check branch assignments
- Verify organization membership
- Review role permissions
- Check for data sharing rules
- Contact administrator