Roles & Permissions
Otesse uses a capability-based permission system. Instead of checking if a user "is an admin," the system checks if the user "has permission to do X." This provides fine-grained access control.
How It Works
- Permissions are individual capabilities (e.g., "billing.view", "bookings.create", "users.manage")
- Roles are collections of permissions (e.g., "Dispatcher" has scheduling and booking permissions)
- Users are assigned a role, which grants them all permissions in that role
Permission checks in code always use the pattern:
hasPermission('billing.view', userId)Never:
role === 'admin'Built-In Roles
| Role | Description | Key Permissions |
|---|---|---|
| Super Admin | Full system access | All permissions |
| Admin | Company management | All except system-level settings |
| Operations Manager | Day-to-day operations | Bookings, scheduling, zones, CRM |
| Dispatcher | Schedule and dispatch | Bookings, calendar, crew assignment |
| Account Manager | Customer relationships | CRM, customers, invoices (view) |
| Finance | Billing and payments | Invoices, payments, subscriptions, reports |
| Field Supervisor | On-site management | Bookings (view/update), crew management |
| Technician | Service delivery | Own schedule, check-in/check-out, own bookings |
Permission Categories
Permissions are organized into 11 categories:
- Bookings — create, view, update, cancel, assign
- Customers — create, view, update, delete, merge
- Invoicing — create, view, update, void, send
- Payments — view, process, refund
- Scheduling — view, create, update, manage availability
- Zones — view, create, update, manage coverage
- Industries — view, configure products, manage pricing
- Users — view, invite, update, deactivate, manage roles
- Billing — view financials, manage subscriptions, export reports
- Settings — view, update company settings, manage integrations
- Workflows — view, create, update templates and automations
Access Levels
Each permission can have an access level:
- full — Complete access to the capability
- own — Access only to records the user created or is assigned to
- view — Read-only access
- none — No access (default if permission is not granted)
Custom Roles
To create a custom role:
- Go to Settings > Roles
- Click Create Role
- Name the role and provide a description
- Toggle permissions on/off for each category
- Set access levels where applicable
- Save the role
Custom roles can be edited or deleted at any time. Deleting a role revokes its permissions from all assigned users — reassign them first.
On this page