Users, Roles & Permissions
An ERP system contains some of the most sensitive data in your organization — financial records, customer details, vendor pricing, employee salaries, and production costs. Controlling who can access, create, modify, and delete this data is not just a best practice; it is a compliance requirement under Indian data protection regulations and a practical necessity for any business with more than one user.
Udyamo ERP Lite provides a comprehensive access control system built on three pillars: user management, role-based permissions, and location-based restrictions. This chapter covers how to set up users, define roles with granular permissions, assign roles to users, and restrict access to specific warehouses or locations.
What You Will Learn
- Why access control matters in an ERP system
- How to add, manage, and deactivate user accounts
- How the role-based access control (RBAC) system works
- The difference between system roles and custom roles
- How permissions are stored and what granular permission keys control
- How to create custom roles tailored to your organization
- How location-based access restricts users to specific warehouses
- Step-by-step procedures for user and role management
Prerequisites
- Administrator or owner access to Udyamo ERP Lite
- Your organization setup completed (covered in Chapter 5: First-Time Setup)
- A clear understanding of your team structure and who needs access to which modules
Why Access Control Matters
In a manufacturing business, different people handle different parts of the operation. The shop floor supervisor manages production orders. The purchase manager raises purchase orders and approves vendor bills. The accountant processes journal entries and reconciles bank accounts. The sales executive creates quotations and invoices. The business owner reviews reports and approves large expenditures.
Without access control, every user can see and modify everything — a sales executive could accidentally modify a journal entry, a production worker could view salary information, or a junior employee could delete a customer record. Access control prevents these scenarios through three mechanisms:
- Segregation of duties — Ensures that the person who creates a purchase order is not the same person who approves the payment. This is a fundamental internal control that reduces the risk of fraud.
- Data confidentiality — Sensitive information (salaries, profit margins, vendor pricing) is visible only to authorized personnel.
- Error prevention — Users can only access the modules relevant to their role, reducing the chance of accidental modifications to records they do not understand.
User Management
Users are managed under Settings > Team (the URL path is /team). Each user represents an individual who can log in to the system.
User fields:
| Field | Description | Required |
|---|---|---|
| Login email address — must be unique across the organization | Yes | |
| First Name | User's first name | Yes |
| Last Name | User's last name | Yes |
| Phone | Contact phone number | No |
| Password | Set on creation; user can change later. Managed via Devise authentication. | Yes (on creation) |
| Active | Whether the user can log in. Inactive users are locked out. | Yes (default: active) |
| Theme / Dark Mode | Visual preferences — each user can customize their own interface | No |
Adding a New User
Step-by-step:
- Navigate to Settings > Team.
- Click Add User (or New User).
- Fill in the required fields: email, first name, last name, and password.
- Optionally set the phone number.
- Click Save.
- The new user can now log in with their email and password.
Tip: Use official company email addresses for user accounts, not personal email addresses. This ensures that when an employee leaves, the account is clearly associated with their company identity and can be deactivated without confusion.
Deactivating a User
When an employee leaves the organization or no longer needs system access, deactivate their account rather than deleting it. Deactivation preserves the audit trail — all transactions created by that user remain attributed to them.
Step-by-step:
- Navigate to Settings > Team.
- Find the user in the list.
- Click on the user to open their profile.
- Click Toggle Active (or the active/inactive toggle).
- The user's status changes to inactive. They can no longer log in.
Warning: Never delete a user account if they have created any transactions in the system. Deleting the user would orphan those records and break the audit trail. Always deactivate instead of delete.
Roles and Permissions
Roles define what a user can do in the system. Each role contains a set of permissions that grant or restrict access to specific features and data. When a role is assigned to a user, that user inherits all the permissions defined in the role.
System Roles
Udyamo ERP Lite ships with two system roles that cannot be deleted or modified. These are marked with is_system: true:
| System Role | Description | Permissions |
|---|---|---|
| Owner | The organization owner — typically the business proprietor or managing director | Full access to every feature, setting, and record. Cannot be restricted. |
| Admin | System administrator — typically the IT manager or senior operations manager | Near-full access to all features. Can manage users, roles, and settings. Cannot change ownership. |
System roles provide a safe foundation. The owner role ensures that at least one person always has unrestricted access, and the admin role allows delegation of system management without granting ownership.
Custom Roles
For everyone else, you create custom roles that match your organizational structure. Permissions are stored as a JSONB field on the Role model, containing an array of granular permission keys.
Common permission keys:
| Permission Key | What It Controls |
|---|---|
manage_items | Create, edit, and delete items in the inventory |
view_items | View items without modification rights |
manage_production_orders | Create and manage production orders, material issues |
manage_bom | Create and edit Bills of Materials |
manage_sales | Create and manage quotations, sales orders, invoices |
manage_purchases | Create and manage purchase orders, bills |
manage_accounting | Create journal entries, manage Chart of Accounts |
view_reports | Access all reports (financial and operational) |
manage_reports | Access and export reports |
manage_users | Add, edit, and deactivate user accounts |
manage_roles | Create and modify roles and permissions |
manage_settings | Modify organization settings and configuration |
manage_payroll | Process salary slips and payroll |
manage_assets | Manage fixed assets, depreciation |
manage_approvals | Approve or reject approval requests |
view_audit_trail | View activity logs and audit records |
Tip: Follow the principle of least privilege — assign each user only the permissions they need to perform their job. It is better to start with minimal permissions and add more as needed than to grant broad access and try to restrict it later.
Creating a Custom Role
Step-by-step:
- Navigate to Settings > Roles.
- Click New Role.
- Enter a Name (e.g., "Production Manager") and an optional Description (e.g., "Manages production orders, BOMs, and quality inspections").
- In the Permissions section, select the permission keys that apply to this role.
- Click Save.
Example roles for a manufacturing business:
| Role Name | Permissions | Typical Assignees |
|---|---|---|
| Production Manager | manage_production_orders, manage_bom, manage_items, view_reports | Shop floor supervisor, production head |
| Accountant | manage_accounting, manage_reports, view_reports, view_audit_trail | Chartered accountant, accounts executive |
| Sales Executive | manage_sales, view_items, view_reports | Sales team members |
| Purchase Manager | manage_purchases, manage_items, view_reports | Procurement team |
| Store Keeper | manage_items, view_items | Warehouse staff |
| HR Manager | manage_payroll, view_reports | HR department |
Assigning Roles to Users
Once roles are created, assign them to users through the RoleAssignment mechanism.
Step-by-step:
- Navigate to Settings > Team.
- Click on the user you want to assign a role to.
- In the user profile, find the Roles section.
- Select one or more roles from the available list.
- Click Save.
A user can have multiple roles. The effective permissions are the union of all assigned roles. For example, if a user has both "Production Manager" and "Sales Executive" roles, they can manage production orders and also create sales invoices.
Tip: Avoid assigning too many roles to a single user. If one person needs permissions from multiple roles, consider creating a dedicated combined role (e.g., "Operations Manager") with exactly the permissions needed, rather than stacking five separate roles.
Location-Based Access Control
In addition to role-based permissions, Udyamo ERP Lite supports location-based restrictions through the UserLocationAssignment model. This is particularly useful for multi-location manufacturing businesses.
Use case: Your company operates two factories — one in Ahmedabad and one in Pune. The Ahmedabad production manager should only see inventory, production orders, and stock movements for the Ahmedabad factory, not Pune. Location-based access makes this possible.
Step-by-step: Restricting a user to specific locations
- Navigate to Settings > Team.
- Click on the user to open their profile.
- In the Locations section, select the locations this user should have access to.
- Click Save.
- The user will now only see data associated with their assigned locations.
| Scenario | Location Assignment | Effect |
|---|---|---|
| No locations assigned | User sees all locations (default behaviour) | Suitable for owners, admins, and accountants who need a company-wide view |
| One location assigned | User sees only that location's data | Suitable for factory-specific managers and store keepers |
| Multiple locations assigned | User sees data from all assigned locations | Suitable for regional managers overseeing multiple facilities |
Warning: Location-based access affects inventory visibility, production order access, and stock movement records. It does not affect accounting or reports, which typically require a company-wide perspective. Accountants and report viewers should not have location restrictions.
Tips & Best Practices
Tip: Document your role definitions and permission assignments in a simple spreadsheet outside the ERP. This makes it easy to onboard new employees — you can look up which role a "new sales executive" should receive without reviewing every existing user's configuration.
Tip: Review user access quarterly. Employees change roles, leave the organization, or take on new responsibilities. A quarterly audit of active users and their assigned roles ensures that permissions stay aligned with actual job functions.
Tip: For segregation of duties in accounting, create separate roles for transaction entry and approval. The person who creates a journal entry should not be the same person who approves it. Similarly, the person who raises a purchase order should not be the person who records the vendor payment.
Warning: The owner role should be assigned to no more than one or two people — the business owner and, if applicable, a co-founder or managing director. Granting owner access broadly defeats the purpose of access control.
Quick Reference
| Concept | Location | Key Points |
|---|---|---|
| User Management | Settings > Team | Add, edit, deactivate users; email is the login identifier |
| Toggle Active | User profile > Toggle Active | Deactivate users who leave; preserves audit trail |
| System Roles | Pre-configured (Owner, Admin) | Cannot be deleted or modified; provide baseline access |
| Custom Roles | Settings > Roles | Define granular permissions tailored to job functions |
| Permissions | Stored as JSONB on Role | Array of permission keys controlling feature access |
| Role Assignment | User profile > Roles | Assign one or more roles to each user; permissions are cumulative |
| Location Access | User profile > Locations | Restrict users to specific warehouses/factories |
| Principle of Least Privilege | Design guideline | Assign only the permissions each user needs; expand as justified |