PaulRentACar Docs
Administration

Roles & Permissions

Manage the role catalog, assign permissions using the module:action format, and understand how permissions control access throughout the system.

Roles & Permissions

Roles and permissions are the security backbone of the Rent a Car CRM. They control what every user can see, do, and modify. The system uses a database-managed Role-Based Access Control (RBAC) model — nothing is hardcoded, and everything is configurable by authorized administrators.

Roles


Role List

Roles are named collections of permissions. Each role represents a job function within your organization.

Default Roles Reference

RoleDescriptionTypical Users
System AdministratorFull access to all modules and settingsIT / System Admin
Regional ManagerCross-branch oversight for a regionRegional Directors
Branch ManagerFull operational control for a branchBranch Managers
Reservations AgentCreate and manage reservationsCall center / walk-in agents
Fleet SupervisorVehicle and fleet operationsFleet team leads
Fleet InspectorVehicle inspections and damage assessmentInspectors / workshop staff
Billing ClerkInvoice creation and payment recordingFinance team (junior)
Finance ManagerFinancial approvals, credit notes, refundsFinance team (senior)
Customer Service AgentHandle complaints and customer inquiriesCustomer service team
Compliance OfficerDocument verification and legal complianceCompliance team
Workshop ManagerMaintenance and repair operationsWorkshop supervisors
Sales RepresentativeCorporate accounts and lead managementSales team
Read-Only ViewerView-only access for auditors or observersAuditors, executives

These are suggested default roles. Your organization may need additional roles or modified permission sets. Use the role configuration screens under Admin → Roles to customize.


Permission Catalog

Permissions follow the module:action naming convention. This format makes it easy to understand what each permission controls at a glance.

Permissions

Permission Format

module:action
  • module — The functional area (e.g., reservation, contract, billing, admin)
  • action — The specific operation (e.g., create, read, update, cancel, approve)

Permission Scope Patterns

PatternMeaningExample
module:createCreate new recordsreservation:create
module:readView recordscustomer:read
module:updateEdit existing recordsvehicle:update
module:deleteDelete records (rarely granted)customer:delete
module:cancelCancel or void recordscontract:cancel
module:approveApprove actions or recordsbilling:approve_refund
module:exportExport datareports:export
admin:manage_*Administrative functionsadmin:manage_users

Common Permission Codes Reference

Reservations

PermissionDescription
reservation:createCreate new reservations
reservation:readView reservations
reservation:updateEdit reservation details
reservation:cancelCancel reservations
reservation:workflow_actionExecute workflow actions on reservations

Contracts

PermissionDescription
contract:createCreate rental contracts
contract:readView contracts
contract:updateEdit contract details
contract:checkoutProcess vehicle checkout
contract:checkinProcess vehicle check-in
contract:cancelCancel contracts
contract:workflow_actionExecute workflow actions on contracts

Billing & Financial

PermissionDescription
billing:create_invoiceCreate invoices
billing:record_paymentRecord customer payments
billing:approve_refundApprove refund requests
billing:cancel_invoiceCancel invoices
credit_note:createCreate credit notes
credit_note:approveApprove credit notes
credit_note:issueIssue approved credit notes
payment:allocateAllocate payments to invoices
payment:reverse_allocationReverse payment allocations
writeoff:createCreate write-off requests
writeoff:approveApprove write-offs

Fleet & Vehicles

PermissionDescription
vehicle:createAdd new vehicles to fleet
vehicle:updateEdit vehicle details
vehicle:update_statusChange vehicle status
vehicle:readView vehicle information
vehicle:deleteRemove vehicles (restricted)

Customers & Drivers

PermissionDescription
customer:createCreate new customer records
customer:readView customer information
customer:updateEdit customer details
driver:createCreate driver records
driver:readView driver information
driver:updateEdit driver details
PermissionDescription
complaint:createCreate complaint cases
complaint:transferTransfer complaints between agents
complaint:escalateEscalate complaints
complaint:escalate_legalEscalate to legal
complaint:workflow_actionExecute workflow actions on complaints

Accounting

PermissionDescription
accounting:readView accounting entries
accounting:configureConfigure accounting settings
accounting:generate_entriesGenerate accounting entries
accounting:approve_entriesApprove accounting entries
accounting:generate_posting_batchGenerate posting batches
accounting:approve_posting_batchApprove posting batches
accounting:export_posting_batchExport posting batches
accounting:reverse_entryReverse accounting entries
accounting:close_periodClose accounting periods

Workflow

PermissionDescription
workflow:readView workflow instances and tasks
workflow:configureConfigure workflow definitions
workflow:execute_actionExecute workflow transitions
workflow:assign_taskAssign or reassign tasks
workflow:complete_taskComplete tasks
workflow:escalate_taskEscalate tasks
workflow:approveProcess approvals
workflow:rejectReject approval requests
workflow:view_timelineView workflow timelines
workflow:view_slaView SLA information

Administration

PermissionDescription
admin:manage_usersCreate, edit, deactivate users
admin:manage_rolesCreate and configure roles
admin:manage_tenantsManage tenant configuration
admin:manage_branchesManage branches

Assigning Permissions to Roles

Permissions are not assigned to individual users — they are assigned to roles, and roles are assigned to users.

Step-by-Step: Create a Custom Role

Navigate to Admin → Roles → New Role — The role creation form opens.

Enter role name and description — Use a clear, descriptive name (e.g., "Senior Billing Clerk").

Select permissions — Browse the permission catalog by module. Check each permission this role should include.

Review the summary — The form shows a count of selected permissions by module.

Save — The role is created and available for assignment to users.

Editing Role Permissions

Navigate to Admin → Roles — Open the role to edit.

Click "Edit Permissions" — The permission selection form opens.

Add or remove permissions — Check or uncheck permissions as needed.

Save — Changes take effect for all users with this role on their next API call.

Changing a role's permissions affects all users who have that role. Before modifying permissions on a widely-used role, consider creating a new role instead to avoid unintended access changes.


How Permissions Take Effect

Permissions are checked at two levels:

Backend (API) Enforcement

Every API endpoint checks the requesting user's permissions before executing. If the user lacks the required permission, the API returns a 403 Forbidden response.

CheckWhat Happens
Permission presentRequest proceeds
Permission missing403 Forbidden returned; action blocked

Frontend (UI) Enforcement

The frontend reads the user's permissions and hides or shows UI elements accordingly.

Permission StateUI Behavior
Permission presentButton, menu item, or link is visible
Permission missingElement is hidden from the UI

Frontend permission checks are for usability — they hide buttons the user cannot use. Backend permission checks are for security — they actually block unauthorized actions. Never rely solely on frontend checks.


Permission Inheritance and Combining

When a user has multiple roles, their permissions are combined (union). There is no Deny permission — if any role grants a permission, the user has it.

User Has RolesResult
Role A: reservation:create, reservation:readUser can create and read reservations
Role A + Role B: billing:create_invoice, billing:readUser can create/read reservations AND create/read invoices
Role A + Role B (overlap on reservation:read)reservation:read is granted once (deduplicated)

On this page