How to manage permissions

Roles group permissions; users get access by being assigned roles. Restrict users to specific companies/branches for data-level security.

1. Roles and permissions

Permissions are fine-grained (e.g. api:finance:gl:read, api:finance:payments:approve). Roles are collections of permissions. List roles and permissions via the security API; create or update roles and assign permissions to them.

2. Assign roles to users

When creating or updating a user, assign one or more roles. The user's effective permissions are the union of all permissions from their roles. Tenant admins typically have full access within the tenant.

3. Company and branch restriction

Optionally restrict a user to specific companies and/or branches via assignedCompanies and assignedBranches. If set, the user only sees data for those entities. Omit for tenant-wide access (subject to role permissions).

4. Check access

API calls return 403 when the user lacks the required permission for the endpoint. Use the security API to list a user's roles and the permissions attached to those roles.