Roles and Permissions
Comprehensive reference of permissions in Neriyam, suggested role templates, and segregation-of-duties guidance for admins.
Roles and Permissions#
Neriyam controls access via roles and permissions. Each user has one or more roles, each role bundles one or more permissions, and each permission grants a specific capability — view, create / edit, approve, send, or cancel — on a specific resource.
Permissions are grouped by module. A user's effective access is the union of every permission across every role they hold.
This page is the catalogue: every permission in the system, what it unlocks, and a set of role templates you can copy when configuring your organization.
The default Administrator role#
When a new organization is created, Neriyam provisions a single default role: Administrator. The owner user is automatically assigned this role.
The Administrator holds all 42 permissions across all 8 modules. From there, the admin creates additional Custom Roles to match the organization's structure and assigns them to other users.
Neriyam ships exactly one default role — Administrator. Every other role you see in your organization is a Custom Role created by an admin. The role templates below are practical starting points; copy them into Custom Roles via Settings › Users and Roles.
Suggested role templates#
Practical recipes you can replicate. Each template covers who the role is for, what the user can do in plain English, the exact permission codes, and any segregation-of-duties caveats.
Purchase Manager#
Approves purchase requisitions and orders, manages suppliers, oversees procurement.
Permissions to grant:
PURCHASE.VIEW_SUPPLIERS,PURCHASE.MANAGE_SUPPLIERS,PURCHASE.APPROVE_SUPPLIERSPURCHASE.VIEW_PURCHASE_REQUISITIONS,PURCHASE.MANAGE_PURCHASE_REQUISITIONS,PURCHASE.APPROVE_PURCHASE_REQUISITIONSPURCHASE.VIEW_PURCHASE_ORDER,PURCHASE.MANAGE_PURCHASE_ORDER,PURCHASE.APPROVE_PURCHASE_ORDER,PURCHASE.SEND_PURCHASE_ORDERPURCHASE.VIEW_PURCHASE_ENTRIESINVENTORY.VIEW_ITEMS,INVENTORY.VIEW_WAREHOUSES,INVENTORY.VIEW_STOCK_ENTRIES
A Purchase Manager who approves should generally not be the same person who manages GRN — that would let one user both approve a PO and confirm receipt against it. Keep PURCHASE.MANAGE_GRN out of this role; it belongs with stores.
Purchase Executive (Buyer)#
Drafts purchase requisitions and orders, manages day-to-day supplier coordination. Cannot approve.
Permissions to grant:
PURCHASE.VIEW_SUPPLIERS,PURCHASE.MANAGE_SUPPLIERSPURCHASE.VIEW_PURCHASE_REQUISITIONS,PURCHASE.MANAGE_PURCHASE_REQUISITIONSPURCHASE.VIEW_PURCHASE_ORDER,PURCHASE.MANAGE_PURCHASE_ORDER,PURCHASE.SEND_PURCHASE_ORDERPURCHASE.VIEW_PURCHASE_ENTRIESINVENTORY.VIEW_ITEMS,INVENTORY.VIEW_WAREHOUSES,INVENTORY.VIEW_STOCK_ENTRIES
Deliberately excluded: APPROVE_PURCHASE_REQUISITIONS, APPROVE_PURCHASE_ORDER, APPROVE_SUPPLIERS. Approval goes to Purchase Manager.
Sales Manager#
Approves sales orders and customers, oversees the sales team, sees full sales activity.
Permissions to grant:
SALES.VIEW_CUSTOMERS,SALES.MANAGE_CUSTOMERS,SALES.APPROVE_CUSTOMERSSALES.VIEW_SALES_ORDER,SALES.MANAGE_SALES_ORDER,SALES.APPROVE_SALES_ORDERSALES.MANAGE_SALES_DELIVERY,SALES.MANAGE_SALES_RETURNSSALES.VIEW_SALES_ENTRIESINVENTORY.VIEW_ITEMS,INVENTORY.VIEW_WAREHOUSES,INVENTORY.VIEW_STOCK_ENTRIES
Sales Executive#
Creates sales orders, drafts deliveries, handles customer coordination. Cannot approve.
Permissions to grant:
SALES.VIEW_CUSTOMERS,SALES.MANAGE_CUSTOMERSSALES.VIEW_SALES_ORDER,SALES.MANAGE_SALES_ORDERSALES.VIEW_SALES_ENTRIESINVENTORY.VIEW_ITEMS,INVENTORY.VIEW_WAREHOUSES,INVENTORY.VIEW_STOCK_ENTRIES
Deliberately excluded: APPROVE_SALES_ORDER, APPROVE_CUSTOMERS. Optionally include MANAGE_SALES_DELIVERY if the same person handles dispatch.
Stores In-charge#
Owns physical stock movements — receiving, transferring, issuing. Submits and cancels stock entries.
Permissions to grant:
INVENTORY.VIEW_ITEMS,INVENTORY.VIEW_WAREHOUSESINVENTORY.MANAGE_STOCK_OPERATIONS,INVENTORY.VIEW_STOCK_ENTRIES,INVENTORY.CANCEL_STOCK_ENTRIESPURCHASE.VIEW_PURCHASE_ORDER,PURCHASE.MANAGE_GRN,PURCHASE.MANAGE_PURCHASE_RETURNS,PURCHASE.VIEW_PURCHASE_ENTRIESSALES.VIEW_SALES_ORDER,SALES.MANAGE_SALES_DELIVERY,SALES.MANAGE_SALES_RETURNS,SALES.VIEW_SALES_ENTRIESMANUFACTURING.VIEW_PRODUCTION
Stores In-charge handles GRN (receipt confirmation). Combining this with Purchase approval permissions in one person breaks the standard 3-way match control.
Stores Operator#
Drafts stock entries; submission and cancellation typically routed through Stores In-charge.
Permissions to grant:
INVENTORY.VIEW_ITEMS,INVENTORY.VIEW_WAREHOUSESINVENTORY.MANAGE_STOCK_OPERATIONS,INVENTORY.VIEW_STOCK_ENTRIESPURCHASE.VIEW_PURCHASE_ORDER,PURCHASE.VIEW_PURCHASE_ENTRIESSALES.VIEW_SALES_ORDER,SALES.VIEW_SALES_ENTRIES
Deliberately excluded: CANCEL_STOCK_ENTRIES. The role can create and submit entries but cannot cancel post-submission — that's the In-charge's job.
Neriyam doesn't currently distinguish "create draft" from "submit" via separate permissions — both are part of MANAGE_STOCK_OPERATIONS. Stores Operator and Stores In-charge therefore differ today only by CANCEL_STOCK_ENTRIES. If you need a tighter draft/submit separation, route submission through workflow rather than permissions.
Production Supervisor#
Records production output and scrap. Reads the rest of the inventory side to plan work.
Permissions to grant:
MANUFACTURING.VIEW_PRODUCTION,MANUFACTURING.MANAGE_PRODUCTIONINVENTORY.VIEW_ITEMS,INVENTORY.VIEW_WAREHOUSES,INVENTORY.VIEW_STOCK_ENTRIESINVENTORY.MANAGE_STOCK_OPERATIONS(production entries are stock entries — this is required for the form to submit)PURCHASE.VIEW_PURCHASE_ORDER,PURCHASE.VIEW_PURCHASE_ENTRIES(to see incoming material)SALES.VIEW_SALES_ORDER(to see what's being made for whom)
Tax Setup Admin#
Maintains tax components, groups, and rates. A specialised role for tax-rate updates when statute changes.
Permissions to grant:
TAX.VIEW_TAX,TAX.MANAGE_TAX_STRUCTURE,TAX.MANAGE_TAX_RATESINVENTORY.VIEW_ITEMS(to verify tax codes on items)
Deliberately excluded: most operational permissions. Tax setup is a focused administrative role.
Auditor / Read-Only#
External auditor, compliance reviewer, or new joiner observation period. Sees everything, changes nothing.
Permissions to grant (View permissions only):
TENANT.VIEW_TENANT,USER.VIEW_USERSINVENTORY.VIEW_ITEMS,INVENTORY.VIEW_WAREHOUSES,INVENTORY.VIEW_STOCK_ENTRIESSALES.VIEW_CUSTOMERS,SALES.VIEW_SALES_ORDER,SALES.VIEW_SALES_ENTRIESPURCHASE.VIEW_SUPPLIERS,PURCHASE.VIEW_PURCHASE_REQUISITIONS,PURCHASE.VIEW_PURCHASE_ORDER,PURCHASE.VIEW_PURCHASE_ENTRIESMANUFACTURING.VIEW_PRODUCTIONSUBCONTRACTING.VIEW_SUBCONTRACTINGTAX.VIEW_TAX
Customer / Supplier Master Data Manager#
Maintains the party master — suited to organizations where master-data ownership is centralised (back-office or compliance function).
Permissions to grant:
SALES.VIEW_CUSTOMERS,SALES.MANAGE_CUSTOMERS,SALES.APPROVE_CUSTOMERSPURCHASE.VIEW_SUPPLIERS,PURCHASE.MANAGE_SUPPLIERS,PURCHASE.APPROVE_SUPPLIERSINVENTORY.VIEW_ITEMS
Deliberately excluded: all transaction permissions. This role keeps masters clean without touching documents.
Subcontracting Coordinator#
Manages subcontracted work — sending material out, receiving processed goods.
Permissions to grant:
SUBCONTRACTING.VIEW_SUBCONTRACTING,SUBCONTRACTING.MANAGE_SUBCONTRACTINGINVENTORY.VIEW_ITEMS,INVENTORY.VIEW_WAREHOUSES,INVENTORY.VIEW_STOCK_ENTRIESINVENTORY.MANAGE_STOCK_OPERATIONSPURCHASE.VIEW_SUPPLIERS,PURCHASE.VIEW_PURCHASE_ENTRIES
The SUBCONTRACTING module's permissions are defined but the corresponding feature is not yet active in the UI. Granting SUBCONTRACTING.MANAGE_SUBCONTRACTING today does not unlock additional pages — the role becomes operational once the Subcontracting workflow is enabled. The other permissions in this template (Inventory, Purchase) work normally so the role is still useful for routing material movements through the existing stock-entry forms.
Permission catalog#
Every permission in Neriyam, by module.
Organization (TENANT)#
The TENANT module is labelled as Organization in the UI. The internal codes retain the TENANT prefix.
| Permission | Description |
|---|---|
TENANT.VIEW_TENANT | View organization settings — Company Profile, locations, bank accounts, modules |
TENANT.MANAGE_TENANT | Edit organization settings — company details, locations, bank accounts, document numbering, payment terms, system settings |
User#
| Permission | Description |
|---|---|
USER.VIEW_USERS | View users and their assigned roles |
USER.MANAGE_USERS | Add new users, assign and revoke roles, deactivate users; create and manage Custom Roles |
Inventory#
| Permission | Description |
|---|---|
INVENTORY.VIEW_ITEMS | View item master records |
INVENTORY.MANAGE_ITEMS | Create, edit, deactivate items and item categories; manage UOM conversions |
INVENTORY.APPROVE_ITEMS | Approve draft items (when item approval is enabled in Settings › Inventory Settings) |
INVENTORY.VIEW_WAREHOUSES | View warehouses |
INVENTORY.MANAGE_WAREHOUSES | Create, edit, deactivate warehouses |
INVENTORY.VIEW_STOCK_ENTRIES | View any stock entry (OPN, ADJ, TRF, PPR, PPT, SPD, SPT, MFG, SCR) and the Stock Ledger |
INVENTORY.MANAGE_STOCK_OPERATIONS | Create and submit stock entries — Opening Stock, Stock Adjustment, Stock Transfer, Production, Scrap |
INVENTORY.CANCEL_STOCK_ENTRIES | Cancel a submitted stock entry. Required in addition to MANAGE_STOCK_OPERATIONS (or the relevant module's manage permission for module-owned entries) |
Sales#
| Permission | Description |
|---|---|
SALES.VIEW_CUSTOMERS | View customer master |
SALES.MANAGE_CUSTOMERS | Create, edit, deactivate customers; manage their addresses, contacts, GST registrations, and bank accounts |
SALES.APPROVE_CUSTOMERS | Approve draft customers (move them from Pending to Approved) |
SALES.VIEW_SALES_ORDER | View sales orders |
SALES.MANAGE_SALES_ORDER | Create, edit, submit, cancel, short-close sales orders |
SALES.APPROVE_SALES_ORDER | Approve or reject sales orders |
SALES.MANAGE_SALES_DELIVERY | Create, edit, submit, cancel sales delivery notes |
SALES.MANAGE_SALES_RETURNS | Create, edit, submit, cancel sales returns |
SALES.MANAGE_JOB_WORK | Defined for an upcoming Jobwork module. Granting it today does not unlock any UI. |
SALES.VIEW_SALES_ENTRIES | View sales delivery notes and sales returns |
Purchase#
| Permission | Description |
|---|---|
PURCHASE.VIEW_SUPPLIERS | View supplier master |
PURCHASE.MANAGE_SUPPLIERS | Create, edit, deactivate suppliers; manage addresses, contacts, GSTINs, bank accounts |
PURCHASE.APPROVE_SUPPLIERS | Approve draft suppliers |
PURCHASE.VIEW_PURCHASE_REQUISITIONS | View purchase requisitions |
PURCHASE.MANAGE_PURCHASE_REQUISITIONS | Create, edit, submit, recall, close, cancel purchase requisitions |
PURCHASE.APPROVE_PURCHASE_REQUISITIONS | Approve or reject purchase requisitions |
PURCHASE.VIEW_PURCHASE_ORDER | View purchase orders |
PURCHASE.MANAGE_PURCHASE_ORDER | Create, edit, submit, recall, cancel, short-close purchase orders |
PURCHASE.APPROVE_PURCHASE_ORDER | Approve or reject purchase orders |
PURCHASE.SEND_PURCHASE_ORDER | Mark an approved PO as Sent (formal communication to the supplier) |
PURCHASE.MANAGE_GRN | Create, edit, submit, cancel goods receipt notes |
PURCHASE.MANAGE_PURCHASE_RETURNS | Create, edit, submit, cancel purchase returns |
PURCHASE.VIEW_PURCHASE_ENTRIES | View GRNs and purchase returns |
Subcontracting#
| Permission | Description |
|---|---|
SUBCONTRACTING.VIEW_SUBCONTRACTING | Defined for the upcoming Subcontracting module. Granting it today does not unlock any UI. |
SUBCONTRACTING.MANAGE_SUBCONTRACTING | Defined for the upcoming Subcontracting module. Granting it today does not unlock any UI. |
Manufacturing#
| Permission | Description |
|---|---|
MANUFACTURING.VIEW_PRODUCTION | View production entries and scrap entries |
MANUFACTURING.MANAGE_PRODUCTION | Create, edit, submit, cancel production and scrap entries. Production also requires INVENTORY.MANAGE_STOCK_OPERATIONS because production entries post to the stock ledger. |
Tax#
| Permission | Description |
|---|---|
TAX.VIEW_TAX | View tax components, tax groups, and tax rates |
TAX.MANAGE_TAX_STRUCTURE | Create, edit, deactivate tax components and tax groups |
TAX.MANAGE_TAX_RATES | Add new tax rates with effective-from dates; auto-closes the previous rate for the same tax code |
Segregation of duties — practical guidance#
A few rules of thumb that keep audit-trail-friendly access patterns:
- Don't grant Manage and Approve for the same document type to one user. A buyer who can both create and approve a PO bypasses the approval control entirely.
- Separate GRN handling from PO approval. The person who approves what to buy should not be the same person who confirms it was received — that's the heart of 3-way match.
- Restrict
INVENTORY.CANCEL_STOCK_ENTRIESto senior roles. Cancellation reverses stock movements and value; treat it as a sensitive action. - Tax setup is admin-only. Don't grant
TAX.*permissions broadly. Once configured, tax rules rarely change; the few who need to update rates useTAX.MANAGE_TAX_RATESspecifically. - Build Custom Roles per FUNCTION, not per PERSON. Assign multiple users to the same role; don't make a "Senthil Kumar" role and an "Aadhira Operator" role. Roles are job-shape templates.
- Audit role assignments quarterly. People change jobs; access often doesn't follow.
- Don't share the Administrator role. It's the master key. Reserve it for the organization owner and one trusted backup. Everyone else gets purpose-built Custom Roles.
How to create a Custom Role#
- Navigate to Settings › Users and Roles → Roles tab
- Click + New Role
- Enter a name (e.g., "Purchase Manager")
- Optionally add a description
- Tick the permissions from the catalog above (use the role templates as a starting point)
- Click Save
The role is now available to assign to users via the Users tab.
For the full role-management UI walkthrough, see Users and Roles.
Related#
- Users and Roles — managing users, creating and editing roles
- Approval workflow — how Approve permissions interact with document lifecycle
- Status Reference — what each lifecycle and fulfillment status means
Last updated