System β€” Users & Roles

Access control & role management

Role-Based Access Control with 20+ predefined roles, JWT RS256 token authentication, device-level session management, and fine-grained permission wildcards across all business contexts.

RBAC 20+ roles JWT RS256 Device sessions Permission wildcards Department access

Role-Based Access Control

Every action in the system is guarded by a permission check. Roles bundle sets of permissions; users inherit all permissions of their assigned role.

1

Role assignment

Assign one or multiple roles per user. Roles can be scoped to a specific department or branch.

2

Permission model

Wildcard syntax: resource:action:scope. Supports * for any resource, action, or scope.

3

Session control

Each login creates a device-bound session. Admins can view and revoke active sessions per user.

4

Token lifecycle

Short-lived access tokens (JWT RS256) with refresh rotation. Configurable TTL per role.

User Management
Role Editor

Permission model: resource:action:scope

Three-part syntax gives precise, composable control. A user gets the union of all their roles' permissions β€” no conflicts, no inheritance gaps.

// full access to everything
*:*:*
// own orders + approve contracts + read reports
orders:*:own   contracts:approve   reports:read
// warehouse β€” own zone, read-only on orders
inventory:*:department   orders:read:*
  • resource β€” any entity or * for all contexts
  • action β€” read, create, update, delete, approve, export… or *
  • scope β€” own, department, all, or * for global access
  • User inherits the union of all assigned roles β€” additive, no conflicts
  • Roles can be scoped to a specific department or branch
  • Custom roles composed from any combination of permission strings

Predefined system roles

All roles are ready to use out of the box. Custom roles can be composed from existing permission sets.

super_admin

Full system access β€” all resources, all actions, all scopes. Unrestricted.

*:*:*

manager

Cross-departmental view and approval rights. Cannot modify system configuration.

orders:*:own contracts:approve reports:read

accountant

Full access to finance contexts: invoicing, accounting, cash flow. No warehouse or production access.

invoices:* accounting:* payments:*

warehouse

Warehouse operations: stock movements, lot management, picking, receiving. Read-only on orders.

inventory:* receiving:* orders:read

sales_manager

Full CRM and sales cycle access: leads, orders, quotes, contracts. Own records only by default.

leads:*:own orders:*:own catalog:read

viewer

Read-only access across all non-sensitive contexts. Suitable for observers, auditors, and executives.

*:read:*
Active Sessions

Session & security controls

Authentication is built on JWT RS256 with asymmetric key signing. Every authenticated device maintains an independent, traceable session that can be remotely revoked at any time.

JWT RS256 authentication

Asymmetric signing β€” private key signs, public key verifies. Access token TTL is role-configurable. Refresh tokens are rotated on every use.

  • RS256 asymmetric key pair
  • Configurable access token TTL
  • Refresh token rotation on each use

Device-level sessions

Each authenticated device gets an independent session entry. Administrators can view session metadata (IP, agent, last active) and revoke any session remotely.

  • Per-device session tracking
  • IP and user-agent logging
  • Remote session revocation