Introduction
This document describes the built-in global roles in the system and the permissions granted to each role.
In this Article
- Role Definition
- Permission Definition
- Permission Types
- Entities (aka Resources)
- Entity Category
- Global Roles & Purpose
- Common Permission Across 3 Global Roles
- Differing Permission Across 3 Global Roles
- Full Permission List
- Users with Multiple Roles
- Performing Actions Not Permitted
- Creating Users with Role
- Changing User's Role
Role Definition
Role is a named collection of permissions on resources. For e.g. Administrator role has view, create, update, delete, and list, permissions to all entities, including but not limited to, Order, Product, Inventory in the system.
Permission Definition
Permission is a grant to perform a specific action on a specific resource. For e.g. permission to read an Order.
Permission is granted on a entity type, which means the permission applies to all entities of that type. For e.g. permission to read an Order, means grant to read all Orders in the system.
Permission Types
There are 5 types of permissions (aka grants, aka actions).
- Read (aka View) - View details of a specific entity / resource type
- Create - Create a specific entity / resource type
- Update - Update a specific entity / resource type
- Delete - Delete a specific entity / resource type
- List - List all instances of a specific entity / resource type
Entities (aka Resources)
Entity is an instance of an Entity Type. For e.g. Order is an Entity Type. Order #SO-1001 is an entity (aka instance) of Order entity type. As mentioned earlier, permissions are on the Entity Type, not on specific instance of the entity type. Therefore, permission is granted on entity type Order, not on #SO-1001. Once you have view permission to Order, you can view #SO-1001, as well as all other Orders in the system.
Entity Category
There are 3 logical Entity / Resource Type categories:
- Account / Organization Entity - Entities that represent users, APIs, billing, and the account level information such as Organization Name, Account contact, address, etc. These entities are bare minimal required to get an organization created. They do not control the overall eCommerce flow in the system.
- Configuration Entity - Resources that control the configuration the influence the flow of Orders, Product, Inventory, etc. These entities influence what happen to the various transactions flowing through the system. E.g. Integrations, Routing Rules, Automation Rules, Shipping Method Mapping, Filters, etc.
- Transaction Entity - Resources that control the configuration the influence the flow of Orders, Product, Inventory, etc. These entities influence what happen to the various transactions flowing through the system. E.g. Sales Orders, Purchase Orders, Transfer Orders, Products, Inventory, Returns, Refunds, etc.
Global (aka Built-In) Roles & Purpose
There are 3 Global (aka built-in) Roles.
- Administrator - Sometime referred to as Admin, is the super user in the system. Administrator has all permissions (Read, Create, Update, Delete, List) on all Account, Configuration and Transaction Entities in the system. This is the default role assigned to the user who creates the organization. This is the ONLY role that can add & manage other users, as well as manage Billing/Subscription. This role can do everything in the system.
- Developer - As the name suggest, it is meant for someone to setup the system and test it. This role has all permissions (Read, Create, Update, Delete, List) to Configuration & Transaction Entities.
- User - As the name suggest, it is meant for day-to-day operator of the system. This role has all permissions (Read, Create, Update, Delete, List) to Transaction Entities, while only view and list permission to Configuration Entities.
Common Permissions Across All 3 Global Roles
* Permission - Create (C), View (R), Update (U), Delete (D), List (L)
| Entity / Resource | Permissions* |
| Arrival | C, R, U, D, L |
| Automation Rule | C, R, U, D, L |
| Automation Run | R, L |
| Entity Schema | R, L |
| Filter | C, R, U, D, L |
| Fulfillment | C, R, U, D, L |
| Inventory | C, R, U, D, L |
| Job (Bulk Jobs) | C, R, U, D, L |
| Label | C, R, U, D, L |
| Location | C, R, U, D, L |
| Order Routing Rule | C, R, U, D, L |
| Orders | C, R, U, D, L |
| Products | C, R, U, D, L |
| Purchase Order | C, R, U, D, L |
| Receipt | C, R, U, D, L |
| Refund | C, R, U, D, L |
| Return | C, R, U, D, L |
| Shipping Request | C, R, U, D, L |
| Shipping Method Mapping | C, R, U, D, L |
| Settlement Report | C, R, U, D, L |
| Suppliers | C, R, U, D, L |
| Transfer Order | C, R, U, D, L |
Differing Permissions Across All 3 Global Roles
* Permission - Create (C), View (R), Update (U), Delete (D), List (L)
| User Permission* | Dev Permission* | Admin Permission* | |
| Accounts | R, L | R, L | R, L |
| API Key | L | C, R, U, D, L | C, R, U, D, L |
| Automation Runs | R, L | R, L | R, L |
| Entity Schema | R, L | R, L | R, L |
| Events | R, L | C, R, U, D, L | C, R, U, D, L |
| exception_categories | R, L | C, R, U, D, L | C, R, U, D, L |
| exception_filters | R, L | C, R, U, D, L | C, R, U, D, L |
| Exceptions | R, U, L | C, R, U, D, L | C, R, U, D, L |
| Integration Actions | R, L | C, R, U, D, L | C, R, U, D, L |
| Integrations | L | C, R, U, D, L | C, R, U, D, L |
| Entity Mappings | R, L | C, R, U, D, L | C, R, U, D, L |
| Notes | R, L | C, R, U, D, L | C, R, U, D, L |
| Organizations | R, L | R, L | C, R, U, D, L |
| References | R, L | R, L | R, L |
| Roles | R, L | R, L | C, R, U, D, L |
| Order Routings | R, L | C, R, U, D, L | C, R, U, D, L |
| Shipment Logs | R, L | R, L | R, L |
| Users | R, L | R, L | C, R, U, D, L |
| Webhooks | C, R, U, D, L | C, R, U, D, L | |
| Arrival | C, R, U, D, L | C, R, U, D, L | C, R, U, D, L |
| Automation Rule | C, R, U, D, L | C, R, U, D, L | C, R, U, D, L |
| Automation Run | R, L | ||
| Entity Schema | R, L |
Full Permissions List Across All 3 Global Roles
* Permission - Create (C), View (R), Update (U), Delete (D), List (L)
| User Permission* | Dev Permission* | Admin Permission* | |
| Accounts | R, L | R, L | R, L |
| API Key | L | C, R, U, D, L | C, R, U, D, L |
| Arrival | C, R, U, D, L | C, R, U, D, L | C, R, U, D, L |
| Automation Rule | C, R, U, D, L | C, R, U, D, L | C, R, U, D, L |
| Automation Run | R, L | R, L | R, L |
| Entity Filter | C, R, U, D, L | C, R, U, D, L | C, R, U, D, L |
| Entity Schema | R, L | R, L | R, L |
| Entity Mappings | R, L | C, R, U, D, L | C, R, U, D, L |
| Events | R, L | C, R, U, D, L | C, R, U, D, L |
| Exception Category | R, L | C, R, U, D, L | C, R, U, D, L |
| Exception Filter | R, L | C, R, U, D, L | C, R, U, D, L |
| Exceptions | R, U, L | C, R, U, D, L | C, R, U, D, L |
| Fulfillment | C, R, U, D, L | C, R, U, D, L | C, R, U, D, L |
| Integration Actions | R, L | C, R, U, D, L | C, R, U, D, L |
| Integrations | L | C, R, U, D, L | C, R, U, D, L |
| Inventory | C, R, U, D, L | C, R, U, D, L | C, R, U, D, L |
| Job (Bulk Jobs) | C, R, U, D, L | C, R, U, D, L | C, R, U, D, L |
| Label | C, R, U, D, L | C, R, U, D, L | C, R, U, D, L |
| Location | C, R, U, D, L | C, R, U, D, L | C, R, U, D, L |
| Notes | R, L | C, R, U, D, L | C, R, U, D, L |
| Organizations | R, L | R, L | C, R, U, D, L |
| Order Routing Rule | R, L | C, R, U, D, L | C, R, U, D, L |
| Orders | C, R, U, D, L | C, R, U, D, L | C, R, U, D, L |
| Products | C, R, U, D, L | C, R, U, D, L | C, R, U, D, L |
| Purchase Order | C, R, U, D, L | C, R, U, D, L | C, R, U, D, L |
| References | R, L | R, L | R, L |
| Roles | R, L | R, L | C, R, U, D, L |
| Receipt | C, R, U, D, L | C, R, U, D, L | C, R, U, D, L |
| Refund | C, R, U, D, L | C, R, U, D, L | C, R, U, D, L |
| Return | C, R, U, D, L | C, R, U, D, L | C, R, U, D, L |
| Shipping Request | C, R, U, D, L | C, R, U, D, L | C, R, U, D, L |
| Shipment Logs | R, L | R, L | R, L |
| Shipping Method Mapping | C, R, U, D, L | C, R, U, D, L | C, R, U, D, L |
| Settlement Report | C, R, U, D, L | C, R, U, D, L | C, R, U, D, L |
| Suppliers | C, R, U, D, L | C, R, U, D, L | C, R, U, D, L |
| Transfer Order | C, R, U, D, L | C, R, U, D, L | C, R, U, D, L |
| Users | R, L | R, L | C, R, U, D, L |
| Webhooks | L | C, R, U, D, L | C, R, U, D, L |
Users with Multiple Roles
A user can be assigned multiple roles. In that case, the most permissible grant is applied. For e.g. a user has both the "User" and "Developer" role, user will be allowed to view, create and update integrations because the "Developer" role allows it.
Performing Action Not Permitted
If the user tries to perform an action not permitted to the role assigned to the user, the user will see an "Access explicitly denied" error. See examples of such errors in the UI.
A red color floating notification bar:
A page showing access denied error:
Creating Users with Roles
Admins can create user from Settings > Users menu. Click on Invite on the top right corner. An invite user dialog will open. Provide Name, Email (which is the login user ID), and select from one of the 3 built-in roles.
Changing User's Role
Admins can change a user's role from Settings > Users menu. Click on the user's Name. An edit user dialog will open. Select a different role under the Role drop down.
Edit User dailog:
Comments
0 comments