01 · Roles & access

The permission model: keys, layers, and how access is decided

The mechanics under the roles — permission keys, the five layers, glob expansion, Pack gating, and exactly how a request is allowed or denied.

5 min read · updated 28/05/2026
Who can do this
RoleCreate order draftConfirm / dispatch orderPack orderRecord paymentVoid invoiceEdit pricing
OwnerAllowedAllowedAllowedAllowedAllowedAllowed

Overview

Every role in Neev — Owner, Manager, Operator, Accountant, Warehouse, Delivery, Sales — is just a bag of small switches called permissions. When someone hits a button and gets "Missing permission," this is the machinery that decided no. This article is for the Owner who wants to understand why a request was allowed or blocked, so you can fix access without guessing.

Where to find it

There is no single "permissions" screen — permissions are the plumbing, not a page. You touch them through two live, Owner-only places on web:

  • Settings → Team & roles (/settings/team) — assign and unassign roles to people. Changing someone's role is how you change what they can do.
  • Audit log (/audit-log) — every blocked request lands here as a permission.denied row, so you can see exactly which key was missing and on which action.

For the actual role-by-role grants, see the per-role articles linked at the bottom.

Key concepts

A permission is a dotted key like orders.create or invoicing.void. Keys are always lowercase and have two or more segments split by dots. Each tRPC procedure behind a button is guarded by one such key — if your roles don't carry it, the action is refused.

Every key belongs to exactly one of five layers: platform, core, queries, capability, and pack. The layer decides how the key gets handed out. Platform keys (audit log, role admin, team management, reports) and Core keys (orders, inventory, invoicing, pricing, returns) are the everyday spine. Pack keys (Pharma, Dairy, Quick Commerce) are gated — they only switch on once you install that Pack.

Your effective permissions are simply the union of every key across all the non-archived roles you hold. If two of your roles grant orders.read, you still just have it once. Nothing is cached — Neev reads it fresh each time, so a role change takes effect immediately.

Default role grants use globs to stay short. The Owner role is seeded with a single *, the Manager role uses prefixes like orders.* (every key starting with orders.), and other roles' grants are spelled out one key at a time.

Common workflows

1
Give someone more access
Open Settings → Team & roles, find the teammate, and change their role to one that carries the permission they need. Access updates on their next action — no re-login dance.
2
Find out why a request was blocked
Open the Audit log and look for the permission.denied row. It records the exact permission key that was missing and a reason — either missing_permission (no role grants that key) or pack_not_active (the key belongs to a Pack that isn't installed).
3
Fix a 'missing permission' block
Read the key from the audit row (e.g. invoicing.void), then assign the person a role that includes it. The per-role articles list which role carries which grants.
4
Fix a 'pack not active' block
If the reason is pack_not_active, no role change helps — the feature lives in a Pack. Install the Pack first; only then do its keys bind to your roles.

Role notes

This page is Owner-only because only the Owner manages who-can-do-what.

The Owner role is seeded with a single * grant. At onboarding that * expands into one real permission row for every non-Pack permission registered in the catalog — so the Owner literally holds each Core and Platform key, not a magic "allow everything" shortcut. There are real edges:

  • Pack keys are not auto-granted. pharma.*, pack.dairy.*, and pack.quick_commerce.* are left out of the * expansion. They bind to the Owner only after the matching Pack is installed.
  • Capability keys aren't switched on in this release yet. The Capability permission sets (cold-chain, route management, warehouse bins, sales targets, discount categories) are defined but not yet registered into the live catalog, so even the Owner does not hold them today.
  • You cannot remove the last Owner. The last-Owner guard blocks unassigning the final Owner of a tenant.

For the concrete grants behind Manager, Operator, Accountant, Warehouse, Delivery, and Sales, see the per-role articles below — those describe the exact keys each carries.

Tips & time-savers

Tip
The Owner's * grant auto-adopts every new non-Pack permission as Neev ships new modules. When an update adds, say, a new reports key, the Owner picks it up automatically — you never re-grant anything after an upgrade.

You don't manage permissions key-by-key day to day. Assign the right role at Settings → Team & roles and the keys follow. Reach for custom roles only when no system role fits.

Gotchas

Warning
You cannot unassign the last Owner. The system blocks it so a tenant is never left with nobody in charge. To hand over, assign Owner to the new person first, then remove the old one.

A "Missing permission" message is not always a role problem. If the audit reason is pack_not_active, the action belongs to a Pack that isn't installed — adding more roles will never unlock it. Install the Pack instead.

Related