Roles and Permissions

Roles are named sets of permissions you assign to users. Permissions decide what someone can see and do in OpsOS.

The role name is for your team. The permissions attached to it are what matter.

How permissions work

Every action in OpsOS — viewing a purchase order, creating a shift, revealing a Vault secret — is controlled by a named permission. Permissions are grouped by module.

A user gets permissions in three ways:

All three sources are additive. A user has a permission if any source grants it. There is no deny mechanism.

Role inheritance

A role can inherit from one or more parent roles. When it does, it automatically gains all the permissions those parent roles have, in addition to its own.

This is useful for building a hierarchy. For example, a "Senior Buyer" role might inherit from "Buyer" and then have a few additional permissions like Approve Purchase Orders on top.

Inherited permissions appear in the permissions grid marked Inherited and cannot be toggled there — you change them on the parent role instead.

User direct permissions

Sometimes you need to give one specific user access to something without changing their role for everyone on it. Direct permissions let you do this.

Direct permissions are added on a user's profile under the Access tab. They persist if the user's role changes.

Direct permissions appear in the effective permissions list with a Direct source badge so it is always clear where the access comes from.

Permission prerequisites

Some permissions cannot be active unless another permission is already present. For example, Create Purchase Orders requires Access Purchasing to be in place first. The permissions manager shows unavailable permissions greyed out and tells you what is needed to unlock them.

If you tick a permission that has unmet prerequisites, the system will offer to grant the prerequisites at the same time.

Where roles fit

Create a role

1. Go to Settings → Roles → Create Role.
2. Enter a name.
3. Click Create Role.

After that, open the role and use The Permissions Manager to set what the role can do.

Add inheritance to a role

1. Go to Settings → Roles.
2. Open the role you want to update.
3. Click Edit Role.
4. Select the parent role or roles to inherit from.
5. Click Save Inheritance.

Edit a role

1. Go to Settings → Roles.
2. Open the role you want to update.
3. Click Edit Role.
4. Change the role name if needed.
5. Add or remove inherited parent roles if the role should inherit from other roles.
6. Click Save Role or Save Inheritance, depending on the section you changed.

After that, open The Permissions Manager if you need to change what the role can do.

Delete a role

1. Go to Settings → Roles.
2. Open the role you want to remove.
3. Check the user list — move those users to a different role first.
4. Delete the role.

Deleting a role is a soft delete. It is hidden from normal tenant users, but existing history remains intact.

Restore a deleted role

1. A super admin must enter the tenant in Super Admin Active mode.
2. Go to Settings → Roles.
3. Find the deleted role row.
4. Click Restore.

Things to know

• Each user has exactly one role.
• If a role does not have access to a module, users on that role will not see that module at all.
• Changing a role's permissions takes effect immediately for all users on that role.
• Direct user permissions survive a role change.
• Deleted roles stay hidden from normal users until a super admin restores them.
• For the full grid across every role and permission, see The Permissions Manager.
• For a full list of every permission and what it does, see the Permissions Reference.