Roles & RBACPermission matrix

Permission matrix

This is the source-of-truth matrix for who can do what. The same matrix is encoded in src/application/permissions.ts and mirrored into Postgres RLS policies.

= allowed. = denied. (self) = allowed only on records the user owns or is assigned to.

The six roles, in order of privilege: admin, manager, supervisor, cutter, member, viewer.

Inventory

Actionadminmanagersupervisorcuttermemberviewer
View inventory
Manage rolls (create / quarantine / receive PO)
Edit roll dimensions
List offcuts
Manage material types
Manage suppliers
Manage pricing
Set reorder rule

Purchase orders

Actionadminmanagersupervisorcuttermemberviewer
Draft PO
Send PO
Receive PO
Cancel sent PO

Jobs

Actionadminmanagersupervisorcuttermemberviewer
Create job
Assign roll
Set priority
Assign cutter
Cancel job
View own job(self)

Cutting engine

Actionadminmanagersupervisorcuttermemberviewer
Access cutting engine
Run Auto Nest
Run Free-roam
Commit cut
Approve cut
View cut history
Void cut

Analytics

Actionadminmanagersupervisorcuttermemberviewer
Access analytics
View current consumption
View period consumption
View material usage
View cost reports
View trends
View reports

Users + workspace

Actionadminmanagersupervisorcuttermemberviewer
Invite user
Promote up to supervisor
Promote to manager
Promote to admin✓ (two-step)
Demote user
Edit workspace settings
Edit workspace branding

Audit

Actionadminmanagersupervisorcuttermemberviewer
Read admin activity log
Read cut history
Export cut history

See also

The six roles
Security posture → Authorization
The six rolesSecurity posture