Appearance
Users & Roles
What is the Users & Roles Module?
The Users & Roles module implements Role-Based Access Control (RBAC) to govern who can access what across Tawridy's 26 modules. Six system roles are provided out of the box, each with a curated set of permissions designed for common procurement team structures. For organizations with unique requirements, custom roles allow granular permission assignment at the module and action level (view, create, edit, delete, export, approve). Module availability is also tied to the organization's subscription tier, ensuring users only see features their plan includes.
How It Connects
| Direction | Module | Relationship |
|---|---|---|
| In | Organization Settings | Subscription tier determines which modules are active and available for role assignment |
| Out | All Modules | Every module checks the current user's role permissions before showing screens, buttons, or data |
| Out | Approvals | Approver assignments in workflows reference roles defined here |
| Out | Dashboard | Dashboard data is scoped by the user's role permissions |
| Out | Reports | Export permission controls whether users can download report data |
| Out | Superadmin | Platform-level user management for cross-org operations |
Step-by-Step Guide
Inviting a New User
- Navigate to Admin > Users & Roles > Users.
- Click Invite User.
- Enter the user's Email Address and Full Name.
- Select a Role from the dropdown (system or custom role).
- Optionally assign the user to a Department or Team.
- Click Send Invitation.
- The user receives an email with a link to set their password and activate their account.
Understanding System Roles
Review the six built-in system roles and their intended use:
| Role | Description | Key Permissions |
|---|---|---|
| Admin | Full platform access. Manages settings, users, roles, and all modules. | All permissions across all modules including settings and user management. |
| Procurement Manager | Oversees procurement operations. Creates and manages RFQs, POs, suppliers, and approvals. | View, create, edit, delete, export, approve on procurement modules. Full supplier management. |
| Sales Manager | Manages customer relationships, quotations, and customer invoices. | View, create, edit, export on customer, quotation, and customer invoice modules. |
| Buyer | Day-to-day procurement execution. Creates RFQs, processes quotes, generates POs. | View, create, edit on RFQs, quotes, and POs. No delete or approve permissions. |
| Finance | Manages invoicing, payments, and financial reporting. | View, create, edit, export on invoice, payment, and reporting modules. Approve on invoices. |
| Viewer | Read-only access for stakeholders who need visibility without edit capability. | View only across all active modules. No create, edit, delete, export, or approve. |
Creating a Custom Role
- Navigate to Admin > Users & Roles > Roles.
- Click New Custom Role.
- Enter a Role Name (e.g., "Junior Buyer", "Regional Manager", "Compliance Officer").
- Enter a Description explaining the role's purpose.
- Configure permissions for each of the 26 modules using the permission matrix:
| Permission | Description |
|---|---|
| View | Can see the module's screens and data |
| Create | Can create new records |
| Edit | Can modify existing records |
| Delete | Can remove records (with soft-delete) |
| Export | Can download data as PDF, Excel, or CSV |
| Approve | Can act as an approver in approval workflows |
- Toggle each permission on or off per module.
- Click Save Role.
Assigning and Changing Roles
- Navigate to Admin > Users & Roles > Users.
- Click on a user to open their profile.
- Change the Role dropdown to the desired role.
- Click Save. The new permissions take effect immediately on the user's next page load.
Deactivating a User
- Open the user's profile from the Users list.
- Click Deactivate User.
- Confirm the action. The user can no longer log in, but their historical activity (approvals, comments, transactions) is preserved for audit purposes.
- To reactivate, open the user profile and click Reactivate.
Key Fields Explained
| Field | Description |
|---|---|
email | The user's login email address. Must be unique across the organization. |
full_name | Display name shown across the platform (comments, audit logs, approvals). |
role | The assigned role (system or custom) that determines all permissions. |
department | Optional grouping for organizational hierarchy and reporting. |
status | Active (can log in), Invited (pending acceptance), or Deactivated (cannot log in). |
last_login | Timestamp of the user's most recent login session. |
permissions | (On role records) The full matrix of module-action permissions for this role. |
is_system_role | Boolean indicating whether this is a built-in role (cannot be deleted) or a custom role. |
subscription_tier | (From org settings) Determines which modules appear in the permission matrix. Modules not included in the tier are greyed out. |
Tips & Best Practices
TIP
Start with the system roles and only create custom roles when a team member's responsibilities genuinely do not fit any built-in role. Over-customization of roles can make permission management complex and error-prone.
TIP
Conduct a quarterly access review. Navigate to the Users list, sort by last login, and deactivate accounts that have been inactive for 90+ days. This is a security best practice and frees up user seats for your subscription tier.
WARNING
Deleting a custom role is only possible if no users are currently assigned to it. Reassign all users to a different role before attempting to delete a custom role. System roles cannot be deleted or modified.
- Follow the principle of least privilege: assign each user the minimum permissions needed for their job function. A Buyer does not need delete or approve permissions, and a Viewer should never have edit access.
- Use the Department field to organize users for reporting and filtering, even though it does not directly affect permissions.
- When onboarding a new team member, verify their role's permissions match their actual responsibilities before they start creating transactions.
- The Export permission should be assigned thoughtfully. Exported data leaves the platform's access controls, so limit it to roles that genuinely need offline data.
FAQ
Q: How many users can I have? A: User limits depend on your subscription tier. Starter plans include up to 5 users, Professional up to 25, and Enterprise offers unlimited users. Check Admin > Settings > Subscription for your current limit and usage.
Q: Can a user have multiple roles? A: Each user is assigned exactly one role. If a user needs permissions from two different roles, create a custom role that combines the needed permissions.
Q: What happens to a deactivated user's data? A: All data created by a deactivated user (POs, invoices, approvals, comments) is preserved permanently. The user's name continues to appear in audit trails and document history. Only their ability to log in is revoked.
Q: Can I restrict a user to see only their own records? A: The Buyer role is scoped to show records the user created or is assigned to. Admin and Manager roles see all records across the organization. Custom roles follow the same scoping as the system role they most closely resemble.
Q: What are the 26 modules in the permission matrix? A: The modules include: Dashboard, RFQs, Suppliers, AVL, Purchase Orders, GRN, Invoices (Supplier), Invoices (Customer), Payments, Customers, Quotations, Items/Catalog, Categories, Projects, Approvals, WhatsApp, Email, Reports, AI Features, Settings, Users, Roles, Subscriptions, Documents, Audit Logs, and Superadmin (platform operators only).
Q: Does module activation affect existing permissions? A: Yes. If your subscription tier does not include a module (e.g., AI Features on the Starter plan), that module is hidden from all users regardless of their role permissions. Upgrading your tier automatically makes the module available to users whose roles include the relevant permissions.