Permissions Matrix

Quick reference: which roles need access to which modules, and what permission level is appropriate. Configure at /admin/roles.

How permissions work: Each staff member has a role. The role defines view / view_own / create / edit / delete per module. view_own restricts the user to seeing only records they created or own. Super admins (admin = 1) bypass all checks.

Core CRM & Sales

Module	Sales Agent	Account Mgr	Sales Manager	Finance	Support	Admin
Leads	view_own + create + edit	view + create + edit	view + create + edit + delete	—	view	✓ all
Opportunities	view_own + create + edit	view + create + edit	view + all	—	view	✓ all
Clients	view + create	view + create + edit	view + all	view	view	✓ all
Contracts	view_own + create	view + create + edit	view + all	view	—	✓ all
Proposals	view_own + create + edit + send	view + all	view + all	—	—	✓ all
Sales Orders	view_own + create + edit	view + all	view + all	view	—	✓ all
Invoices	view_own + create	view + create + edit	view + all	view + create + edit + delete	—	✓ all
Payments	view_own	view	view + create	view + create + edit	—	✓ all
Credit Notes	—	view + create	view + all	view + create + edit	—	✓ all
Price Lists	view	view + create + edit	view + all	—	—	✓ all
Commission	view_own	view_own	view + all	view	—	✓ all

Operations

Module	Project Manager	Developer / Consultant	Support Agent	HR	Admin
Projects	view + create + edit	view_own + edit	view	—	✓ all
Tasks	view + create + edit	view_own + create + edit	view	view_own	✓ all
Support Tickets	view + create + edit	view + create + edit	view + create + edit	—	✓ all
Expenses	view_own + create	view_own + create	—	view	✓ all
Document Management	view + create + edit	view_own	view	view + create	✓ all
Timesheets	view_own + create + edit	view_own + create + edit	—	view	✓ all

Warehouse & Procurement

Module	Warehouse Op.	Warehouse Mgr	Procurement	Finance	Admin
Goods Receipt	view + create	view + create + edit + approve	view	view	✓ all
Delivery Notes	view + create	view + create + edit + approve	—	view	✓ all
Packing Lists	view + create + edit	view + all	—	—	✓ all
Physical Inventory	view + create	view + all + approve	—	view	✓ all
Loss & Adjustments	view + create	view + create + edit + approve	—	view	✓ all
Internal Transfers	view + create	view + all	—	—	✓ all
Commodities (catalogue)	view	view + create + edit	view + create + edit	view	✓ all
Vendors	view	view	view + create + edit	view	✓ all
Purchase Orders	view	view + approve	view + create + edit	view	✓ all
RFQ	—	view	view + create + edit + send	—	✓ all
Vendor Invoices	—	view	view + create + edit	view + create + edit	✓ all

HR, Finance & Admin

Module	HR Manager	Payroll	Finance	IT Admin	Admin
Staff	view + create + edit	view	—	view + create + edit + delete	✓ all
HR Profile	view + create + edit	view + create + edit	—	—	✓ all
HR Payroll	view	view + create + edit	view	—	✓ all
Departments	view + create + edit	—	—	view + create + edit	✓ all
Roles & Permissions	—	—	—	view + create + edit	✓ all
Bank Statement	—	—	view + create + edit	—	✓ all
Taxes / Payment Modes	—	—	view + create + edit	view + create + edit	✓ all
Currencies	—	—	view + create + edit	view + create + edit	✓ all
eFactura (ANAF)	—	—	view + create + edit	view	✓ all
General Settings	—	—	—	view + edit	✓ all
Custom Fields	—	—	—	view + create + edit	✓ all
API Management	—	—	—	view + create + edit	✓ all
Webhooks	—	—	—	view + create + edit	✓ all
Workflow Automation	—	—	—	view + create + edit	✓ all
GDPR	—	—	—	view	✓ all
Activity Log	—	—	—	view	✓ all

Marketing & OmniSales

Module	Marketing Spec.	E-commerce Op.	OMS Manager	Admin
Marketing Campaigns	view + create + edit	—	—	✓ all
Marketing Automation	view + create + activate	—	—	✓ all
Marketing Planner	view + create + send	—	—	✓ all
Lead Forms	view + create	—	—	✓ all
WhatsApp	view + create + send	view + create + send	—	✓ all
Remarketing	view + edit	—	—	✓ all
OmniSales Orders	—	view + create + edit	view + all + approve	✓ all
Sales Channels	—	view	view + create + edit	✓ all
Trade Discounts	—	view	view + create + edit	✓ all
Channel Sync Audit	—	view	view	✓ all

Recommended role presets

Sales Agent

Leads:         view_own + create + edit
Opportunities: view_own + create + edit
Clients:       view + create
Proposals:     view_own + create + edit
Sales Orders:  view_own + create
Invoices:      view_own
Commission:    view_own
Goals:         view

Warehouse Operator

Goods Receipt:    view + create
Delivery Notes:   view + create
Packing Lists:    view + create + edit
Commodities:      view
Internal Transfer:view + create
Physical Inventory:view + create

Finance / Accountant

Invoices:        view + create + edit + delete
Payments:        view + create + edit
Credit Notes:    view + create + edit
Expenses:        view
Bank Statement:  view + create + edit
Currencies:      view + create + edit
eFactura (ANAF): view + create + edit
Reports:         view

Support Agent

Tickets:         view + create + edit
Clients:         view
Projects:        view
Knowledge Base:  view + create

Notes

view_own vs view — use view_own for agents who should only see their own leads/orders. Use view for managers who need team-wide visibility.
Approval permissions — some modules (Goods Receipt, Delivery Notes, Loss & Adjustments) have a separate approve step. Only managers/supervisors should have this.
Delete permission — assign conservatively. Financial records (invoices, payments) should rarely be deletable; use credit notes instead.
Override per staff — individual overrides are possible from /admin/staff/{id} → Permissions tab, without changing the role for everyone.

→ Roles & Permissions module · Staff management · IT Admin guide