Role-Based Access Control (RBAC)
Comprehensive guide to user roles, permissions, and access control in Dernetz ERP
Last Updated: November 5, 2025 | Version: 1.0
Table of Contents
Overview
Dernetz ERP implements a robust Role-Based Access Control (RBAC) system to ensure data security and proper access management.
Key Benefits:
- Data Isolation: Users only see data they're authorized to access
- Security: Prevents unauthorized access to sensitive information
- Compliance: Meets GDPR and data protection requirements
- Flexibility: Easy to manage team permissions as you scale
User Roles
Owner (Super Admin)
Full System Access
- ✅ See ALL customers (including other owners')
- ✅ Import/Export data
- ✅ Create/edit/delete ALL users
- ✅ Reassign customers to anyone
- ✅ Access all system settings
- ✅ View all reports and analytics
Use with caution: Owner accounts have unrestricted access!
Manager
Team Management
- ✅ See all customers EXCEPT owner-owned
- ✅ Reassign customers (to non-owners)
- ✅ Create/edit non-owner users
- ✅ Allocate leads to team
- ✅ View team reports
- ❌ Cannot import/export
- ❌ Cannot see owner's customers
Perfect for: Team leads, office managers
Sales Director
Sales Oversight
- ✅ See all team customers
- ✅ View analytics and reports
- ✅ Access forecasting tools
- ❌ Limited edit access
- ❌ Cannot reassign customers
Energy Consultant
Own Customers Only
- ✅ See ONLY their own customers
- ✅ Create new customers (auto-owned)
- ✅ Edit their own customers
- ✅ Create quotes and contracts
- ❌ Cannot see other users' customers
- ❌ Cannot reassign
- ❌ Cannot import/export
Most common role: Standard team members
Pricing Analyst & Account Manager
Specialized Roles:
Pricing Analyst
- ✅ See own customers
- ✅ Advanced quote tools
- ✅ Access pricing database
Account Manager
- ✅ See own customers
- ✅ Manage renewals
- ✅ Customer relationship tools
Permissions Matrix
| Action | Owner | Manager | Sales Dir. | Consultant |
|---|---|---|---|---|
| View ALL Customers | ✓ Yes | ✓ Except Owners' | ✓ Except Owners' | ✗ Own Only |
| Create Customer | ✓ Yes | ✓ Yes | ✓ Yes | ✓ Yes (auto-owned) |
| Edit Any Customer | ✓ Yes | ✓ Except Owners' | ✗ No | ✗ Own Only |
| Delete Customer | ✓ Yes | ✓ Except Owners' | ✗ No | ✗ No |
| Reassign Customer | ✓ Yes | ✓ Yes (to non-owners) | ✗ No | ✗ No |
| Import/Export Data | ✓ Yes | ✗ No | ✗ No | ✗ No |
| Manage Users | ✓ All | ✓ Non-owners | ✗ No | ✗ No |
Data Access Rules
How Customer Visibility Works
- Owner: No filter applied - sees absolutely everything
- Manager/Sales Director: Filters out customers where
created_byis an Owner - Others: Only shows customers where
created_by= current user's ID
Example:
If John (Consultant) creates "ABC Ltd", only John and Owner/Manager can see it. Other consultants cannot see John's customers.
Customer Ownership
Automatic Assignment
When you create a customer:
- System automatically sets
created_byto your user ID - You become the "owner" of that customer
- You can always see and edit your own customers
No manual assignment needed! It's automatic.
Who Can See It?
After you create a customer:
- You: ✅ Always see it
- Owners: ✅ Can see it
- Managers: ✅ Can see it (if you're not an Owner)
- Other Consultants: ❌ Cannot see it
Reassigning Customers
Who Can Reassign?
Only Owners and Managers can reassign customers to other users.
How to Reassign a Customer
- Open the customer detail page
- Click the button
- Select the new owner from the dropdown
- Click "Reassign Customer"
Note: The customer will immediately transfer to the new owner. The previous owner will no longer see it (unless they're a Manager/Owner).
Best Practices
Do's
- ✅ Use Energy Consultant for most team members
- ✅ Limit Owner accounts to 1-2 people
- ✅ Use Manager for team leads
- ✅ Reassign customers when team members leave
- ✅ Regularly review user permissions
- ✅ Document role assignments
Don'ts
- ❌ Don't give everyone Owner access
- ❌ Don't share login credentials
- ❌ Don't leave inactive users active
- ❌ Don't forget to reassign before deleting users
- ❌ Don't bypass RBAC with shared accounts
Quick Reference
Need full access?
Use Owner role
Managing a team?
Use Manager role
Standard team member?
Use Energy Consultant role