| Role | Create order draft | Confirm / dispatch order | Pack order | Record payment | Void invoice | Edit pricing |
|---|---|---|---|---|---|---|
| Owner | Allowed | Allowed | Allowed | Allowed | Allowed | Allowed |
Overview
Every role in Neev — Owner, Manager, Operator, Accountant, Warehouse, Delivery, Sales — is just a bag of small switches called permissions. When someone hits a button and gets "Missing permission," this is the machinery that decided no. This article is for the Owner who wants to understand why a request was allowed or blocked, so you can fix access without guessing.
Where to find it
There is no single "permissions" screen — permissions are the plumbing, not a page. You touch them through two live, Owner-only places on web:
- Settings → Team & roles (
/settings/team) — assign and unassign roles to people. Changing someone's role is how you change what they can do. - Audit log (
/audit-log) — every blocked request lands here as apermission.deniedrow, so you can see exactly which key was missing and on which action.
For the actual role-by-role grants, see the per-role articles linked at the bottom.
Key concepts
A permission is a dotted key like orders.create or invoicing.void. Keys are always lowercase and have two or more segments split by dots. Each tRPC procedure behind a button is guarded by one such key — if your roles don't carry it, the action is refused.
Every key belongs to exactly one of five layers: platform, core, queries, capability, and pack. The layer decides how the key gets handed out. Platform keys (audit log, role admin, team management, reports) and Core keys (orders, inventory, invoicing, pricing, returns) are the everyday spine. Pack keys (Pharma, Dairy, Quick Commerce) are gated — they only switch on once you install that Pack.
Your effective permissions are simply the union of every key across all the non-archived roles you hold. If two of your roles grant orders.read, you still just have it once. Nothing is cached — Neev reads it fresh each time, so a role change takes effect immediately.
Default role grants use globs to stay short. The Owner role is seeded with a single *, the Manager role uses prefixes like orders.* (every key starting with orders.), and other roles' grants are spelled out one key at a time.
Common workflows
permission.denied row. It records the exact permission key that was missing and a reason — either missing_permission (no role grants that key) or pack_not_active (the key belongs to a Pack that isn't installed).invoicing.void), then assign the person a role that includes it. The per-role articles list which role carries which grants.pack_not_active, no role change helps — the feature lives in a Pack. Install the Pack first; only then do its keys bind to your roles.Role notes
This page is Owner-only because only the Owner manages who-can-do-what.
The Owner role is seeded with a single * grant. At onboarding that * expands into one real permission row for every non-Pack permission registered in the catalog — so the Owner literally holds each Core and Platform key, not a magic "allow everything" shortcut. There are real edges:
- Pack keys are not auto-granted.
pharma.*,pack.dairy.*, andpack.quick_commerce.*are left out of the*expansion. They bind to the Owner only after the matching Pack is installed. - Capability keys aren't switched on in this release yet. The Capability permission sets (cold-chain, route management, warehouse bins, sales targets, discount categories) are defined but not yet registered into the live catalog, so even the Owner does not hold them today.
- You cannot remove the last Owner. The last-Owner guard blocks unassigning the final Owner of a tenant.
For the concrete grants behind Manager, Operator, Accountant, Warehouse, Delivery, and Sales, see the per-role articles below — those describe the exact keys each carries.
Tips & time-savers
* grant auto-adopts every new non-Pack permission as Neev ships new modules. When an update adds, say, a new reports key, the Owner picks it up automatically — you never re-grant anything after an upgrade.You don't manage permissions key-by-key day to day. Assign the right role at Settings → Team & roles and the keys follow. Reach for custom roles only when no system role fits.
Gotchas
A "Missing permission" message is not always a role problem. If the audit reason is pack_not_active, the action belongs to a Pack that isn't installed — adding more roles will never unlock it. Install the Pack instead.