Roles & Permissions
Manage the role catalog, assign permissions using the module:action format, and understand how permissions control access throughout the system.
Roles & Permissions
Roles and permissions are the security backbone of the Rent a Car CRM. They control what every user can see, do, and modify. The system uses a database-managed Role-Based Access Control (RBAC) model — nothing is hardcoded, and everything is configurable by authorized administrators.

Role List
Roles are named collections of permissions. Each role represents a job function within your organization.
Default Roles Reference
| Role | Description | Typical Users |
|---|---|---|
| System Administrator | Full access to all modules and settings | IT / System Admin |
| Regional Manager | Cross-branch oversight for a region | Regional Directors |
| Branch Manager | Full operational control for a branch | Branch Managers |
| Reservations Agent | Create and manage reservations | Call center / walk-in agents |
| Fleet Supervisor | Vehicle and fleet operations | Fleet team leads |
| Fleet Inspector | Vehicle inspections and damage assessment | Inspectors / workshop staff |
| Billing Clerk | Invoice creation and payment recording | Finance team (junior) |
| Finance Manager | Financial approvals, credit notes, refunds | Finance team (senior) |
| Customer Service Agent | Handle complaints and customer inquiries | Customer service team |
| Compliance Officer | Document verification and legal compliance | Compliance team |
| Workshop Manager | Maintenance and repair operations | Workshop supervisors |
| Sales Representative | Corporate accounts and lead management | Sales team |
| Read-Only Viewer | View-only access for auditors or observers | Auditors, executives |
These are suggested default roles. Your organization may need additional roles or modified permission sets. Use the role configuration screens under Admin → Roles to customize.
Permission Catalog
Permissions follow the module:action naming convention. This format makes it easy to understand what each permission controls at a glance.

Permission Format
module:action- module — The functional area (e.g.,
reservation,contract,billing,admin) - action — The specific operation (e.g.,
create,read,update,cancel,approve)
Permission Scope Patterns
| Pattern | Meaning | Example |
|---|---|---|
module:create | Create new records | reservation:create |
module:read | View records | customer:read |
module:update | Edit existing records | vehicle:update |
module:delete | Delete records (rarely granted) | customer:delete |
module:cancel | Cancel or void records | contract:cancel |
module:approve | Approve actions or records | billing:approve_refund |
module:export | Export data | reports:export |
admin:manage_* | Administrative functions | admin:manage_users |
Common Permission Codes Reference
Reservations
| Permission | Description |
|---|---|
reservation:create | Create new reservations |
reservation:read | View reservations |
reservation:update | Edit reservation details |
reservation:cancel | Cancel reservations |
reservation:workflow_action | Execute workflow actions on reservations |
Contracts
| Permission | Description |
|---|---|
contract:create | Create rental contracts |
contract:read | View contracts |
contract:update | Edit contract details |
contract:checkout | Process vehicle checkout |
contract:checkin | Process vehicle check-in |
contract:cancel | Cancel contracts |
contract:workflow_action | Execute workflow actions on contracts |
Billing & Financial
| Permission | Description |
|---|---|
billing:create_invoice | Create invoices |
billing:record_payment | Record customer payments |
billing:approve_refund | Approve refund requests |
billing:cancel_invoice | Cancel invoices |
credit_note:create | Create credit notes |
credit_note:approve | Approve credit notes |
credit_note:issue | Issue approved credit notes |
payment:allocate | Allocate payments to invoices |
payment:reverse_allocation | Reverse payment allocations |
writeoff:create | Create write-off requests |
writeoff:approve | Approve write-offs |
Fleet & Vehicles
| Permission | Description |
|---|---|
vehicle:create | Add new vehicles to fleet |
vehicle:update | Edit vehicle details |
vehicle:update_status | Change vehicle status |
vehicle:read | View vehicle information |
vehicle:delete | Remove vehicles (restricted) |
Customers & Drivers
| Permission | Description |
|---|---|
customer:create | Create new customer records |
customer:read | View customer information |
customer:update | Edit customer details |
driver:create | Create driver records |
driver:read | View driver information |
driver:update | Edit driver details |
Complaints & Legal
| Permission | Description |
|---|---|
complaint:create | Create complaint cases |
complaint:transfer | Transfer complaints between agents |
complaint:escalate | Escalate complaints |
complaint:escalate_legal | Escalate to legal |
complaint:workflow_action | Execute workflow actions on complaints |
Accounting
| Permission | Description |
|---|---|
accounting:read | View accounting entries |
accounting:configure | Configure accounting settings |
accounting:generate_entries | Generate accounting entries |
accounting:approve_entries | Approve accounting entries |
accounting:generate_posting_batch | Generate posting batches |
accounting:approve_posting_batch | Approve posting batches |
accounting:export_posting_batch | Export posting batches |
accounting:reverse_entry | Reverse accounting entries |
accounting:close_period | Close accounting periods |
Workflow
| Permission | Description |
|---|---|
workflow:read | View workflow instances and tasks |
workflow:configure | Configure workflow definitions |
workflow:execute_action | Execute workflow transitions |
workflow:assign_task | Assign or reassign tasks |
workflow:complete_task | Complete tasks |
workflow:escalate_task | Escalate tasks |
workflow:approve | Process approvals |
workflow:reject | Reject approval requests |
workflow:view_timeline | View workflow timelines |
workflow:view_sla | View SLA information |
Administration
| Permission | Description |
|---|---|
admin:manage_users | Create, edit, deactivate users |
admin:manage_roles | Create and configure roles |
admin:manage_tenants | Manage tenant configuration |
admin:manage_branches | Manage branches |
Assigning Permissions to Roles
Permissions are not assigned to individual users — they are assigned to roles, and roles are assigned to users.
Step-by-Step: Create a Custom Role
Navigate to Admin → Roles → New Role — The role creation form opens.
Enter role name and description — Use a clear, descriptive name (e.g., "Senior Billing Clerk").
Select permissions — Browse the permission catalog by module. Check each permission this role should include.
Review the summary — The form shows a count of selected permissions by module.
Save — The role is created and available for assignment to users.
Editing Role Permissions
Navigate to Admin → Roles — Open the role to edit.
Click "Edit Permissions" — The permission selection form opens.
Add or remove permissions — Check or uncheck permissions as needed.
Save — Changes take effect for all users with this role on their next API call.
Changing a role's permissions affects all users who have that role. Before modifying permissions on a widely-used role, consider creating a new role instead to avoid unintended access changes.
How Permissions Take Effect
Permissions are checked at two levels:
Backend (API) Enforcement
Every API endpoint checks the requesting user's permissions before executing. If the user lacks the required permission, the API returns a 403 Forbidden response.
| Check | What Happens |
|---|---|
| Permission present | Request proceeds |
| Permission missing | 403 Forbidden returned; action blocked |
Frontend (UI) Enforcement
The frontend reads the user's permissions and hides or shows UI elements accordingly.
| Permission State | UI Behavior |
|---|---|
| Permission present | Button, menu item, or link is visible |
| Permission missing | Element is hidden from the UI |
Frontend permission checks are for usability — they hide buttons the user cannot use. Backend permission checks are for security — they actually block unauthorized actions. Never rely solely on frontend checks.
Permission Inheritance and Combining
When a user has multiple roles, their permissions are combined (union). There is no Deny permission — if any role grants a permission, the user has it.
| User Has Roles | Result |
|---|---|
Role A: reservation:create, reservation:read | User can create and read reservations |
Role A + Role B: billing:create_invoice, billing:read | User can create/read reservations AND create/read invoices |
Role A + Role B (overlap on reservation:read) | reservation:read is granted once (deduplicated) |
Related Pages
- User Management — How to assign roles to users
- Tenants & Branches — Multi-tenant access control
- Workflow Configuration — How workflow permissions integrate