Permissions
Permissions follow the pattern action:resource (for example create:inbound-order). Users receive permissions through the roles assigned to them.
How permission checks actually work
Section titled “How permission checks actually work”When an endpoint is protected, the system looks for a role permission whose value exactly matches the required action:resource string, or the single super-permission *:*.
This has two important consequences that differ from many RBAC systems:
- There is no
manageexpansion. Amanage:warehousepermission does not grantcreate:warehouse,read:warehouse, etc. Each action must be granted explicitly. - There are no partial wildcards.
read:*or*:warehouseare not honoured. The only wildcard that works is the exact string*:*, which grants everything.
So in practice you grant the four concrete actions you need, or you grant *:* for a full administrator.
Actions
Section titled “Actions”Only four actions are enforced, plus the *:* super-permission.
| Action | Description |
|---|---|
create | Create new records |
read | View records |
update | Modify existing records (includes workflow steps such as start-receiving, reserve, complete) |
delete | Remove records |
*:* | Full access to everything (super-administrator) |
A
manageaction and ascanaction exist in the permission catalogue and can be assigned to a role, but no endpoint currently checks for them — they grant nothing on their own. Don’t rely on them.
Resources
Section titled “Resources”These are the resources that are actually enforced by an endpoint, and which actions are available for each. (Some entities exist in the system but have no permission check — see the note below.)
| Resource | Actions enforced | Description |
|---|---|---|
warehouse | create, read, update, delete | Warehouse entities |
warehouse-item | read | Item enrollments per warehouse (create/update/delete are not permission-checked) |
item | create, read, update, delete | Global item catalog |
category | create, read, update, delete | Item categories |
zone | create, read, update, delete | Warehouse zones |
aisle | create, read, update, delete | Aisles |
rack | create, read, update, delete | Racks |
shelf | create, read, update, delete | Shelves |
bin | create, read, update, delete | Storage bins |
lot | create, read, update | Lots / batches (no delete) |
inbound-order | create, read, update, delete | Inbound (receiving) orders — lines are managed through the order |
outbound-order | create, read, update, delete | Outbound (dispatch) orders — lines are managed through the order |
transfer-order | create, read, update, delete | Internal transfer orders — lines are managed through the order |
stock-count | create, read, update, delete | Stock count sessions |
inventory-transaction | create, read, update, delete | Inventory transaction ledger |
serialized-unit | read | Serialized / RFID unit records |
user | create, read, update, delete | User accounts |
role | create, read, update, delete | Roles |
permission | create, read, update, delete | Permission records |
role-permission | create, read, update, delete | Role-permission assignments |
audit-log | read | Audit log entries |
Unguarded operations. Stock adjustments (
stock-adjustment) and the create/update/delete of warehouse-item enrollments currently have no permission check — any authenticated user can perform them. Order lines (inbound-line,outbound-line,transfer-line) are not checked individually; they are created and edited through their parent order, so the order permission is what matters.
Common permission sets
Section titled “Common permission sets”Receiving team
Section titled “Receiving team”create:inbound-orderread:inbound-orderupdate:inbound-orderread:warehouse-itemread:binread:lot(update:inbound-order covers start-receiving, recording receipts, and completing the order.)
Picking / dispatch team
Section titled “Picking / dispatch team”create:outbound-orderread:outbound-orderupdate:outbound-orderread:warehouse-itemread:bin(update:outbound-order covers reserving and completing the order.)
Transfer / putaway team
Section titled “Transfer / putaway team”create:transfer-orderread:transfer-orderupdate:transfer-orderread:warehouse-itemread:bin(update:transfer-order covers completing the transfer.)
Stock count team
Section titled “Stock count team”create:stock-countread:stock-countupdate:stock-countread:warehouse-itemread:bin(update:stock-count covers recording counts and completing the session.)
Warehouse manager
Section titled “Warehouse manager”Grant the concrete actions explicitly — manage:* does nothing.
create:warehouse-itemread:warehouse-itemupdate:warehouse-itemcreate:categoryread:categoryupdate:categorydelete:categorycreate:stock-countread:stock-countupdate:stock-countdelete:stock-countread:inventory-transactionread:audit-logcreate:zoneread:zoneupdate:zonedelete:zonecreate:binread:binupdate:bindelete:bincreate:rackread:rackupdate:rackdelete:rackcreate:shelfread:shelfupdate:shelfdelete:shelfcreate:aisleread:aisleupdate:aisledelete:aisleSystem administrator
Section titled “System administrator”*:*