Roles & Permissions
Shaari uses a role-based access control (RBAC) system to let you control exactly what each team member can see and do. Every user in a tenant is assigned a role, and that role determines their baseline capabilities. On top of the role, granular permissions allow fine-tuned control over individual modules.
Roles
There are two roles in Shaari:
Admin
Admins have full access to every part of the tenant. They can manage team members, change tenant settings, view all data, and perform any action across every module. The first user who creates a tenant is automatically assigned the Admin role.
Key Admin capabilities:
- Invite and remove team members
- Assign and change roles and permissions
- Access all modules regardless of individual permission settings
- Manage tenant settings, billing, and integrations
- View the full activity log
Member
Members have restricted access controlled by the permission system. When you invite someone as a Member, you choose exactly which modules they can access and what level of access they have in each one. A Member with no permissions assigned cannot see or do anything beyond their own profile.
Use the Admin role sparingly. Most team members should be Members with permissions tailored to their job function. This follows the principle of least privilege and keeps your data secure.
Permission System Overview
Permissions in Shaari are organized into sections and access levels. Each section corresponds to a functional area of the platform, and each access level defines what operations a user can perform within that section.
When you configure a Member's permissions, you set an access level for each section independently. This means a team member can have full access to purchases but view-only access to sales, or no access to HR at all.
Permission Sections
Shaari defines the following permission sections, each controlling access to a distinct part of the platform:
| Section | Controls |
|---|---|
| analytics | Dashboard widgets, charts, spending trends, and performance reports |
| purchase_invoices | Purchase invoice uploads, extraction, categorization, and payment tracking |
| sales_ar | Sales invoices, credit/debit notes, and ZATCA e-invoicing |
| suppliers_customers | Supplier and customer records, contact information, and address management |
| categories | Invoice categories and payment type definitions |
| custody | Cash custody management, daily reports, and expense tracking |
| hr_management | Employee records, attendance, leave, payroll, loans, and warnings |
| api | API key generation and external system integrations |
| modules | Module visibility and feature toggles |
| settings | Tenant settings, company information, tax configuration, and integrations |
Access Levels
Each permission section is assigned one of four access levels:
0 --- No Access
The user cannot see or interact with this section at all. The corresponding menu items and pages are completely hidden from their view.
1 --- View Only
The user can see records and data in this section but cannot create, edit, or delete anything. Useful for team members who need visibility for reference or reporting but should not modify data.
2 --- Contribute
The user can view existing records and create new ones. They can also edit records they have created. However, they cannot delete records or modify records created by other users. This level is appropriate for data-entry roles.
3 --- Full Access
The user can view, create, edit, and delete any record in this section, regardless of who created it. This is equivalent to Admin-level access within the specific section.
Admins always operate at Full Access (level 3) across all sections, regardless of any permission settings. Permission levels only apply to users with the Member role.
Plan-Based Permission Restrictions
Not all permission sections are available on every subscription plan. Some sections are gated behind specific plans:
| Permission Section | Required Plan |
|---|---|
| analytics | All plans |
| purchase_invoices | All plans |
| suppliers_customers | All plans |
| categories | All plans |
| modules | All plans |
| settings | All plans |
| sales_ar | Plus or Enterprise |
| custody | Plus or Enterprise |
| hr_management | Enterprise |
| api | Enterprise |
If your tenant is on the Basic plan, the sales_ar permission section will not appear in the permission configuration screen because the Sales module is not available on that plan. Upgrading your plan unlocks the corresponding permission sections automatically.
When a tenant is downgraded to a lower plan, any permissions set for plan-gated sections are preserved in the database but become inactive. Team members will lose access to those sections until the tenant is upgraded again.
How Permissions Are Enforced
Permissions are enforced at multiple levels:
-
UI Level --- Menu items, pages, and action buttons are hidden or disabled based on the user's effective permissions. A Member with View Only access to purchases will not see the "Upload Invoice" button.
-
API Level --- Every backend endpoint checks the requesting user's permissions before processing the request. Even if someone crafts a direct API call, the server will reject unauthorized actions with a 403 Forbidden response.
-
Data Level --- Query filters ensure users only see data they are authorized to access. A Member with No Access to HR will receive empty results even if they somehow reach an HR endpoint.
Next Steps
- Managing Team Members --- Learn how to invite users and configure their permissions
- Permission Matrix --- See the full breakdown of what each access level allows in every section