Permission Matrix
This page provides a comprehensive reference for Shaari's permission system. Use it to understand exactly what each access level allows within every permission section, and to plan permission configurations for your team members.
Access Levels Summary
| Level | Name | Create | View | Edit Own | Edit All | Delete |
|---|---|---|---|---|---|---|
| 0 | No Access | -- | -- | -- | -- | -- |
| 1 | View Only | -- | Yes | -- | -- | -- |
| 2 | Contribute | Yes | Yes | Yes | -- | -- |
| 3 | Full Access | Yes | Yes | Yes | Yes | Yes |
Full Permission Matrix by Section
analytics
Controls access to the dashboard, charts, spending trends, and performance reports.
| Access Level | Capabilities |
|---|---|
| No Access | Dashboard shows no analytics widgets. Summary cards and charts are hidden. |
| View Only | Can view all analytics dashboards, charts, and reports. Cannot export data. |
| Contribute | Same as View Only. Analytics are read-only by nature. |
| Full Access | Can view all analytics and export reports. Can configure dashboard widget layout. |
Required plan: All plans
purchase_invoices
Controls access to purchase invoice management, including uploads, AI extraction, categorization, and payment tracking.
| Access Level | Capabilities |
|---|---|
| No Access | Purchases section is hidden from navigation. |
| View Only | Can browse and search purchase invoices. Can view invoice details, attachments, and extracted data. Cannot upload, edit, or delete. |
| Contribute | Can upload new invoices, trigger AI extraction, edit invoices they created, and update payment status on their own invoices. Cannot modify or delete invoices created by others. |
| Full Access | Can perform all purchase invoice operations: upload, edit, delete, change status, manage attachments, and bulk actions on any invoice regardless of creator. |
Required plan: All plans
sales_ar
Controls access to sales invoices, credit notes, debit notes, and ZATCA e-invoicing features.
| Access Level | Capabilities |
|---|---|
| No Access | Sales invoicing section is hidden from navigation. |
| View Only | Can view sales invoices, credit/debit notes, and their ZATCA compliance status. Cannot create or modify. |
| Contribute | Can create new sales invoices and credit/debit notes. Can edit invoices they created (if still in Draft status). Cannot modify invoices created by others or delete any invoice. |
| Full Access | Can create, edit, delete, and manage all sales invoices. Can submit invoices to ZATCA, void invoices, and perform bulk operations. |
Required plan: Plus or Enterprise
The sales_ar permission section only appears in the permission configuration screen if your tenant is on the Plus or Enterprise plan. Basic plan tenants will not see this section.
suppliers_customers
Controls access to supplier and customer records, including contact details and address management.
| Access Level | Capabilities |
|---|---|
| No Access | Suppliers and Customers sections are hidden. |
| View Only | Can browse and search suppliers and customers. Can view contact details and addresses. |
| Contribute | Can create new suppliers and customers. Can edit records they created. Cannot modify records created by others. |
| Full Access | Can create, edit, and delete any supplier or customer record. Can merge duplicate records. |
Required plan: All plans
categories
Controls access to invoice category and payment type definitions.
| Access Level | Capabilities |
|---|---|
| No Access | Cannot see or manage categories. Can still see category names on invoices if they have invoice access. |
| View Only | Can view the list of categories and payment types. |
| Contribute | Can create new categories and payment types. Can edit ones they created. |
| Full Access | Can create, edit, rename, reorder, and delete any category or payment type. |
Required plan: All plans
custody
Controls access to cash custody management, daily reports, and expense tracking.
| Access Level | Capabilities |
|---|---|
| No Access | Custody section is hidden from navigation. |
| View Only | Can view custody records, daily reports, and expense summaries. Cannot create or modify. |
| Contribute | Can create custody requests, submit daily reports, and log expenses. Can edit their own reports. |
| Full Access | Can manage all custody operations: approve/reject requests, review daily reports, reverse transactions, and manage employee balances. |
Required plan: Plus or Enterprise
hr_management
Controls access to the full HR suite: employees, departments, attendance, leave, payroll, loans, warnings, and documents.
| Access Level | Capabilities |
|---|---|
| No Access | HR section is hidden from navigation. |
| View Only | Can view employee records, attendance logs, leave balances, and payroll summaries. Cannot modify any data. |
| Contribute | Can add employees, log attendance, submit leave requests, and enter basic HR data. Can edit records they created. |
| Full Access | Can perform all HR operations: manage employees, process payroll, approve/reject leave, issue warnings, manage loans, and configure HR settings. |
Required plan: Enterprise
api
Controls access to API key management and external integrations.
| Access Level | Capabilities |
|---|---|
| No Access | API section is hidden. Cannot generate or view API keys. |
| View Only | Can view existing API keys (masked) and integration status. Cannot create or revoke keys. |
| Contribute | Can generate new API keys for their own use. Cannot manage keys created by others. |
| Full Access | Can create, view, revoke, and manage all API keys. Can configure integration settings. |
Required plan: Enterprise
modules
Controls access to module visibility and feature toggles.
| Access Level | Capabilities |
|---|---|
| No Access | Cannot see or change module configuration. |
| View Only | Can view which modules are enabled or disabled. |
| Contribute | Same as View Only. Module toggling is an administrative action. |
| Full Access | Can enable or disable optional modules for the tenant. |
Required plan: All plans
settings
Controls access to tenant settings, company information, tax configuration, and integrations.
| Access Level | Capabilities |
|---|---|
| No Access | Settings section is hidden from navigation (except personal profile settings). |
| View Only | Can view company information, tax settings, and integration status. Cannot modify. |
| Contribute | Can update basic company information. Cannot change tax configuration or manage integrations. |
| Full Access | Can modify all tenant settings: company details, logo, tax configuration, ZATCA settings, and integrations. |
Required plan: All plans
Example Permission Configurations
Below are common team member profiles and their recommended permission setups:
Accountant
| Section | Level |
|---|---|
| analytics | View Only |
| purchase_invoices | Full Access |
| sales_ar | Full Access |
| suppliers_customers | Full Access |
| categories | Contribute |
| custody | View Only |
| hr_management | No Access |
| api | No Access |
| modules | No Access |
| settings | No Access |
Sales Representative
| Section | Level |
|---|---|
| analytics | View Only |
| purchase_invoices | No Access |
| sales_ar | Contribute |
| suppliers_customers | Contribute |
| categories | No Access |
| custody | No Access |
| hr_management | No Access |
| api | No Access |
| modules | No Access |
| settings | No Access |
HR Manager
| Section | Level |
|---|---|
| analytics | View Only |
| purchase_invoices | No Access |
| sales_ar | No Access |
| suppliers_customers | No Access |
| categories | No Access |
| custody | Full Access |
| hr_management | Full Access |
| api | No Access |
| modules | No Access |
| settings | No Access |
Data Entry Clerk
| Section | Level |
|---|---|
| analytics | No Access |
| purchase_invoices | Contribute |
| sales_ar | Contribute |
| suppliers_customers | Contribute |
| categories | View Only |
| custody | No Access |
| hr_management | No Access |
| api | No Access |
| modules | No Access |
| settings | No Access |
Start with one of these templates and adjust based on the specific responsibilities of your team member. You can always change permissions later without disrupting their work.