01 · Roles & access

Custom roles and editing the built-in roles

How the Owner creates custom roles, tunes a built-in role's permissions, and assigns roles to teammates — and the guardrails that protect the system roles.

5 min read · updated 28/05/2026
Who can do this
RoleCreate order draftConfirm / dispatch orderPack orderRecord paymentVoid invoiceEdit pricing
OwnerAllowedAllowedAllowedAllowedAllowedAllowed

Overview

Neev ships with seven built-in roles — Owner, Manager, Operator, Accountant, Warehouse, Delivery, Sales — and most traders never touch them. But when your shop doesn't fit the mould (a billing clerk who should also see reports, a part-timer who only records payments), you don't want to over-grant by handing out a Manager login. You can build a custom role with exactly the permissions you choose, or tune a built-in role, so every teammate sees only what their job needs.

Where to find it

The shipped team screen lives at Settings → Team (/settings/team). Only the Owner sees Settings in the sidebar. From there you invite teammates and switch any member between the six assignable roles (Manager, Operator, Accountant, Warehouse, Delivery, Sales).

Building a custom role or changing what a built-in role can do is Owner-only and currently done through the API (the rbac.roles.* procedures), not a dedicated editor screen. Everything below tells you exactly what those calls do and the rules they enforce.

Note
Settings → Team is web-only. There is no role editor on the mobile field apps.

Key concepts

  • Role — a named bundle of permissions you assign to a teammate. A role has a key (a stable code like BILLING_CLERK), a label (what people read), an optional description, and a set of permissions.
  • System role — the seven built-ins. Their keys are reserved, and they can't be archived. You can still edit a built-in role's permissions.
  • Permission — a single power, like "Record payment" or "View the audit log." A role grants a set of these. The picker that lists them is the permission catalog.
  • Pack permission — a permission that belongs to a paid Pack (Pharma, Dairy, Quick Commerce). You can only grant it to a role once that Pack is active for your business.

Common workflows

1
Create a custom role
Give it a key, a label, an optional description, and pick its permissions from the catalog. Neev rejects the seven reserved system keys and any key you've already used.
2
Tune a built-in role
Edit a system role and add or remove permissions. Your added grants survive deploys — Neev never strips permissions you granted by hand.
3
Assign a role to a teammate
On Settings → Team, pick the member and choose their role from the dropdown. The change takes effect on their next action.
4
Retire a custom role
Archive it once nobody needs it. System roles can't be archived — only your own custom roles.

Every one of these is recorded: creating, editing, assigning, unassigning, and archiving a role each fire an audit event (role.created, role.updated, role.assigned, role.unassigned, role.archived), so the history is always there in the audit log.

Role notes

Managing roles is an Owner job, full stop. Both powers — creating or editing roles (rbac.roles.manage) and assigning roles to people (rbac.users.manage) — are held only by the Owner by default. The Owner holds every non-Pack permission in the system, which is why the Owner is the one who decides what every other role can do.

Two things even the Owner cannot do: grant a Pack permission to any role before that Pack is installed, and unassign the last remaining Owner. Both are hard guards, covered below.

Tips & time-savers

Tip
Don't clone Manager to give one clerk a little extra. Start a custom role from the permission you actually need — say "Record payment" plus "View reports" — and nothing else. Tighter roles mean fewer surprises on who can touch the money.

You don't have to rebuild a built-in role from scratch either. If Sales should also see reports, just add the "View reports" permission to the Sales role — your edit sticks across updates, because Neev only ever reconciles the defaults it seeded itself and leaves your hand-added grants alone.

Gotchas

Warning
You can't remove the last Owner. If you try to switch the only Owner to another role or unassign them, Neev blocks it — promote a second person to Owner first. This stops a business from locking itself out of its own settings.

A few more rules that will stop you mid-task:

  • Reserved keys. The seven system keys (OWNER, MANAGER, OPERATOR, ACCOUNTANT, WAREHOUSE, DELIVERY, SALES) are off-limits for new roles, and you can't reuse a key already taken in your business.
  • System roles can't be archived. You can edit a built-in role's permissions, but you can't delete or archive it. Only custom roles can be retired.
  • Pack permissions need the Pack. Trying to grant a Pharma, Dairy, or Quick Commerce permission to a role fails until that Pack is active for your business. Install the Pack first, then grant.

Related