v2.4.0 (Stable)
Control exactly who can see and do what. The role-based access control system lets you define granular permissions for every team member — from full administrative access down to read-only visibility of a single module.
The system ships with four built-in roles. Managing Director has unrestricted access to all modules and cannot be modified. Admin has broad access across operations, finances, and settings but cannot manage security roles. Accountant has full access to the Finances module and read access to Residents and Inventory. Staff has read access to Residents and Inventory with no financial access. These roles cannot be deleted.
Navigate to Security > Roles and click "Create Role". Give the role a descriptive name (e.g., Medical Officer, Social Worker, Procurement Manager). Then select individual permissions from the permission matrix. Permissions are grouped by module — for example, granting residents.read allows viewing resident profiles without the ability to add or edit them.
Roles are assigned when inviting a user via Settings > Users. You can also change an existing user's role from the same screen. A user can hold multiple roles simultaneously — their effective permissions are the union of all assigned roles. Role changes take effect immediately and are automatically synchronized to the user's security credentials.
When you update a user's roles, the system triggers an automatic permission sync in the background. This writes the updated roles to the user's authentication token so their access is consistent across sessions and devices. Users do not need to log out and back in for role changes to take effect. If a sync fails, the system falls back to reading permissions directly from the database.