JewelTrak Help
All articles

Settings

Permissions & Roles

How permission groups grant access, how users combine groups and overrides, and how it's enforced.

Permissions & Roles

JewelTrak controls access with permission groups — named roles like Manager, Sales, or Back Office. A group is a set of permissions it grants. Access is default-deny: a user can only do what their groups grant — anything not granted is simply unavailable.

What a group can grant

Permissions are action-level. For each module you grant the specific actions a role should have:

  • View / Create / Edit / Delete on Inventory, Watches, Diamonds, Colored Stones, Pearls, Invoices, Memos, Memo Returns, Repairs, Appraisals, Custom Builds, and Contacts.
  • Void on transactions (Invoices, Memos, Memo Returns).
  • Capabilities that cross modules: View Cost / Margin, Apply Order Discounts, Trade Negotiation Fields, Override Price, Modify Price Tiers, View All Stores, and Manage Users.
  • Cost-revealing reports (Profit, Vendor Cost, Inventory Valuation), granted on top of Reports → View.

So you can express precise roles — e.g. Sales can view inventory but not edit it, and create invoices but not void them.

Groups only grant — they never deny

Ticking a box grants that action; leaving it unticked just means “not granted” (it is never an active denial). That’s what makes belonging to more than one group safe.

Users, groups, and overrides

On Settings → Manage Users, open a user to set their access:

  1. Groups — assign the user to one or more groups. Their effective access is the union of everything those groups grant. (Every user needs at least one group — no group means no access.)
  2. Overrides — the effective-permissions grid shows what the groups give them. Tick or untick an individual cell to make a per-user exception: unticking a granted action denies it for that person; ticking an ungranted one grants it. Overridden cells show an amber ring, and you can clear all overrides in one click.

This keeps roles simple: define broad groups, then handle the rare “this one person is different” case with an override instead of a whole new group.

The Administrator group

A built-in Administrator group grants everything and can’t be edited or deleted — assign it to your owners and managers. To delete any other group, first reassign anyone still in it (and the last administrator can’t be removed).

Where permissions are enforced

Every permission is checked in three places, so it can’t be bypassed by deep-linking or a hand-crafted form post:

  1. UI — buttons, columns, and menu items hide.
  2. Page load — the server refuses to send the data (and scrubs cost fields).
  3. Action — the server refuses to write the change.

To set up a role

  1. Settings → Permission Groups → + New (or Create default groups to seed Manager, Sales, and Back Office to tweak).
  2. Name it and tick the actions in the matrix.
  3. Settings → Manage Users, open a user, assign the group, and adjust overrides if needed.

Viewing your own access

Anyone can open their own user to see their groups and effective permissions read-only — so if something’s missing, you know to ask an administrator. Full administrators can also edit their own (handy for, say, hiding a feature you never use), and JewelTrak won’t let you remove the organization’s last administrator.

See also

  • Adding Inventory Items — what staff need to view vs. create or edit
  • Period Close — locked periods are an additional layer on top of role permissions