Roles and Permissions
This page documents the roles and permissions available in the SL API.
Available Roles
The system defines the following roles:
- Admin (
admin): Highest level of access with full system control - Manager (
manager): Store management capabilities with limitations - Cashier (
cashier): Point-of-sale operations
Role Capabilities
Admin
Administrators have full access to all system features and can:
- Manage all users, including other admins
- Configure system settings
- Access all business data
- Perform all operations available to other roles
Manager
Managers can manage day-to-day operations but have some restrictions:
- Can create and manage cashiers
- Cannot modify admin accounts or system-level settings
- Can manage store configurations, products, and sales
Cashier
Cashiers have limited access focused on sales operations:
- Process sales transactions
- View customer information
- Access limited product information
- Cannot modify store configurations or user accounts
Permission Details
The table below shows the permissions granted to each role:
| Permission | Admin | Manager | Cashier |
|---|---|---|---|
| Collections | |||
| collections.create | ✓ | ✓ | |
| collections.delete | ✓ | ✓ | |
| collections.update | ✓ | ✓ | |
| collections.view | ✓ | ✓ | |
| Business | |||
| businesses.create | ✓ | ||
| businesses.update | ✓ | ||
| businesses.view | ✓ | ||
| Customer | |||
| customers.view | ✓ | ✓ | ✓ |
| customers.create | ✓ | ✓ | ✓ |
| customers.update | ✓ | ✓ | ✓ |
| customers.delete | ✓ | ✓ | ✓ |
| Devices | |||
| devices.update | ✓ | ✓ | ✓ |
| Discounts | |||
| discounts.create | ✓ | ✓ | |
| discounts.delete | ✓ | ✓ | |
| discounts.update | ✓ | ✓ | |
| discounts.view | ✓ | ✓ | |
| Featured Products | |||
| featured.update | ✓ | ✓ | |
| featured.view | ✓ | ✓ | |
| Notifications | |||
| notifications.view | ✓ | ✓ | |
| Sales | |||
| sales.update | ✓ | ✓ | ✓ |
| sales.view | ✓ | ✓ | ✓ |
| Payment Methods | |||
| payment_methods.create | ✓ | ||
| payment_methods.delete | ✓ | ||
| payment_methods.update | ✓ | ||
| payment_methods.view | ✓ | ||
| Delivery Methods | |||
| delivery_methods.create | ✓ | ||
| delivery_methods.delete | ✓ | ||
| delivery_methods.update | ✓ | ||
| delivery_methods.view | ✓ | ||
| Products | |||
| products.create | ✓ | ||
| products.delete | ✓ | ||
| products.enable | ✓ | ✓ | ✓ |
| products.sort | ✓ | ✓ | ✓ |
| products.update | ✓ | ✓ | |
| products.view | ✓ | ✓ | ✓ |
| products.import | ✓ | ✓ | |
| products.export | ✓ | ✓ | |
| Reports | |||
| reports.dashboard | ✓ | ✓ | |
| Requests | |||
| requests.create | ✓ | ||
| Riders | |||
| riders.create | ✓ | ||
| riders.delete | ✓ | ||
| riders.update | ✓ | ||
| riders.view | ✓ | ✓ | ✓ |
| Users | |||
| users.create | ✓ | ✓ | |
| users.delete | ✓ | ✓ | |
| users.update | ✓ | ✓ | ✓ |
| users.view | ✓ | ✓ | ✓ |
| users.available | ✓ | ✓ | |
| Stores | |||
| stores.create | ✓ | ||
| stores.delete | ✓ | ||
| stores.enable | ✓ | ✓ | ✓ |
| stores.unpublish | ✓ | ||
| stores.update | ✓ | ✓ | |
| stores.view | ✓ | ✓ | ✓ |
| store_import.save | ✓ | ||
| Issues | |||
| issues.view | ✓ | ✓ | ✓ |
| issues.create | ✓ | ✓ | ✓ |
| issues.update | ✓ | ||
| issues.delete | ✓ | ||
| Quick Keys | |||
| quick_keys.view | ✓ | ✓ | ✓ |
| quick_keys.create | ✓ | ✓ | ✓ |
| quick_keys.update | ✓ | ✓ | ✓ |
| quick_keys.delete | ✓ | ✓ | ✓ |
| Subscriptions | |||
| subscriptions.view | ✓ | ||
| subscriptions.update | ✓ | ||
| Images | |||
| images.direct_upload | ✓ | ✓ | ✓ |
| Preferences | |||
| preferences.view | ✓ | ✓ | ✓ |
| preferences.update | ✓ | ✓ | ✓ |
| Price Books | |||
| price_books.view | ✓ | ✓ | ✓ |
| price_books.create | ✓ | ✓ | |
| price_books.update | ✓ | ✓ | |
| price_books.delete | ✓ | ✓ | |
| Quotes | |||
| quotes.view | ✓ | ✓ | ✓ |
| quotes.create | ✓ | ✓ | ✓ |
| quotes.archive | ✓ | ✓ | ✓ |
| Categories | |||
| categories.view | ✓ | ✓ | |
| categories.create | ✓ | ✓ | |
| categories.update | ✓ | ✓ | |
| categories.delete | ✓ | ✓ |
User Management
The system implements role-based access control with a hierarchical structure. Higher-level roles can manage users with lower-level roles:
- Admin: Can create/update all users
- Manager: Can create/update cashiers only
- Cashier: Cannot manage other users
Authorization Flow
The API verifies permissions for each request using a middleware that checks if the user's role is authorized for the requested operation. If a user attempts to access a resource they don't have permission for, the system returns a 403 Forbidden error.
JSON Representation
Below is a JSON representation of permissions grouped by roles, which can be easily copied for implementation:
{
"admin": [
"collections.create",
"collections.delete",
"collections.update",
"collections.view",
"businesses.create",
"businesses.update",
"businesses.view",
"customers.view",
"customers.create",
"customers.update",
"customers.delete",
"devices.update",
"discounts.create",
"discounts.delete",
"discounts.update",
"discounts.view",
"featured.update",
"featured.view",
"notifications.view",
"sales.update",
"sales.view",
"payment_methods.create",
"payment_methods.delete",
"payment_methods.update",
"payment_methods.view",
"delivery_methods.create",
"delivery_methods.delete",
"delivery_methods.update",
"delivery_methods.view",
"products.create",
"products.delete",
"products.enable",
"products.sort",
"products.update",
"products.view",
"products.import",
"products.export",
"reports.dashboard",
"requests.create",
"riders.create",
"riders.delete",
"riders.update",
"riders.view",
"users.create",
"users.delete",
"users.update",
"users.view",
"users.available",
"stores.create",
"stores.delete",
"stores.enable",
"stores.unpublish",
"stores.update",
"stores.view",
"store_import.save",
"issues.view",
"issues.create",
"issues.update",
"issues.delete",
"quick_keys.view",
"quick_keys.create",
"quick_keys.update",
"quick_keys.delete",
"subscriptions.view",
"subscriptions.update",
"images.direct_upload",
"preferences.view",
"preferences.update",
"price_books.view",
"price_books.create",
"price_books.update",
"price_books.delete",
"quotes.view",
"quotes.create",
"quotes.archive",
"categories.view",
"categories.create",
"categories.update",
"categories.delete"
],
"manager": [
"collections.create",
"collections.delete",
"collections.update",
"collections.view",
"customers.view",
"customers.create",
"customers.update",
"customers.delete",
"devices.update",
"discounts.create",
"discounts.delete",
"discounts.update",
"discounts.view",
"featured.update",
"featured.view",
"notifications.view",
"sales.update",
"sales.view",
"products.enable",
"products.sort",
"products.update",
"products.view",
"products.import",
"products.export",
"reports.dashboard",
"riders.view",
"users.create",
"users.delete",
"users.update",
"users.view",
"users.available",
"stores.enable",
"stores.update",
"stores.view",
"issues.view",
"issues.create",
"quick_keys.view",
"quick_keys.create",
"quick_keys.update",
"quick_keys.delete",
"images.direct_upload",
"preferences.view",
"preferences.update",
"price_books.view",
"price_books.create",
"price_books.update",
"price_books.delete",
"quotes.view",
"quotes.create",
"quotes.archive",
"categories.view",
"categories.create",
"categories.update",
"categories.delete"
],
"cashier": [
"customers.view",
"customers.create",
"customers.update",
"customers.delete",
"devices.update",
"sales.update",
"sales.view",
"products.enable",
"products.sort",
"products.view",
"riders.view",
"users.update",
"users.view",
"stores.enable",
"stores.view",
"issues.view",
"issues.create",
"quick_keys.view",
"quick_keys.create",
"quick_keys.update",
"quick_keys.delete",
"images.direct_upload",
"preferences.view",
"preferences.update",
"price_books.view",
"quotes.view",
"quotes.create",
"quotes.archive"
]
}
Flat List of All Permissions
Below is a JSON array containing all unique permissions in a flat list:
[
"collections.create",
"collections.delete",
"collections.update",
"collections.view",
"businesses.create",
"businesses.update",
"businesses.view",
"customers.view",
"customers.create",
"customers.update",
"customers.delete",
"devices.update",
"discounts.create",
"discounts.delete",
"discounts.update",
"discounts.view",
"featured.update",
"featured.view",
"notifications.view",
"sales.update",
"sales.view",
"payment_methods.create",
"payment_methods.delete",
"payment_methods.update",
"payment_methods.view",
"delivery_methods.create",
"delivery_methods.delete",
"delivery_methods.update",
"delivery_methods.view",
"products.create",
"products.delete",
"products.enable",
"products.sort",
"products.update",
"products.view",
"products.import",
"products.export",
"reports.dashboard",
"requests.create",
"riders.create",
"riders.delete",
"riders.update",
"riders.view",
"users.create",
"users.delete",
"users.update",
"users.view",
"users.available",
"stores.create",
"stores.delete",
"stores.enable",
"stores.unpublish",
"stores.update",
"stores.view",
"store_import.save",
"issues.view",
"issues.create",
"issues.update",
"issues.delete",
"quick_keys.view",
"quick_keys.create",
"quick_keys.update",
"quick_keys.delete",
"subscriptions.view",
"subscriptions.update",
"images.direct_upload",
"preferences.view",
"preferences.update",
"price_books.view",
"price_books.create",
"price_books.update",
"price_books.delete",
"quotes.view",
"quotes.create",
"quotes.archive",
"categories.view",
"categories.create",
"categories.update",
"categories.delete"
]