Last verified: 2026-05-19
Permissions matrix
How business roles map to capabilities. Staff assignments may further restrict access within an organization.
Source (code): apps/saas2/lib/services/authorization-manager.ts — update this article when that file changes.
Platform business roles (hierarchy)
| Role | Hierarchy | Scope |
|---|---|---|
| Staff | 1 | Organization / assigned sub-orgs |
| Manager | 2 | Staff + extended POS, inventory, limited cash/reporting |
| Admin | 3 | Full organization management |
| Superadmin | 4 | Entire platform (resource: *, action: *) |
Note: Dashboard login role is staff | admin | superadmin | customer. Manager is a permission tier applied to staff users, not a separate login role.
Resource × action summary
| Resource | Staff | Manager | Admin | Superadmin |
|---|---|---|---|---|
pos | read, create_order, update_order (limited), cancel_order (pending) | + void_order, refund_order (capped) | (via org config) | * |
table | read | read | manage | * |
product | read | update | manage | * |
inventory | read, update (capped adj.) | update | manage | * |
customer | read, create | read, create | manage | * |
staff | — | read, schedule (own sub-org) | manage, invite | * |
cash | — | count, deposit (capped) | manage | * |
payment | — | — | manage | * |
financial | — | — | manage | * |
report | read (daily/shift) | read, export | manage | * |
analytics | — | — | manage | * |
organization | — | — | manage | * |
suborganization | — | — | manage | * |
category | — | — | manage | * |
system | — | — | manage | * |
security | — | — | manage | * |
Staff dashboard vs this matrix
The Staff dashboard exposes many routes (orders, accounting, security, etc.). Visibility in the UI is controlled by:
- Organization staff role templates and per-user permissions (
/admin/staff/roles,/staff/staff/roles). - Feature flags and subscription plan limits.
If a staff user cannot see a menu item documented in the KB, check admin-configured permissions before assuming a product bug.
Customer role
Customers access customer dashboard routes (/customer/*) and storefront (/store/{slug}). They do not use the staff/admin permission resources above.
Superadmin role
Superadmin routes live under /superadmin/*. Document platform operations in docs/kb/superadmin/ with audience: internal until explicitly published for partners.
Related articles
- Sign in and account access —
slug: shared/sign-in-and-account-access - Understand staff permissions —
slug: staff/understand-staff-permissions
