B2B Import ERP ships with nine predefined system roles that cover every actor in a B2B industrial services operation — from platform-wide administrators down to end-clients browsing their own portal. Roles are assigned per user at the tenant level, and access is resolved at runtime through a three-stage cascade that accounts for per-user exceptions and multi-site restrictions. No user gains access to a module simply by being logged in; every action is gated by an explicit permission code tied to the user’s role.Documentation Index
Fetch the complete documentation index at: https://mintlify.com/ency07/B2B-import/llms.txt
Use this file to discover all available pages before exploring further.
The 9 Official Roles
SUPER_ADMIN
Platform-wide administration with no tenant affiliation. Has full bypass of all RLS policies (
is_platform_user = true, tenant_id = NULL). Manages tenants, global roles, platform permissions, and cross-tenant audit logs.ADMIN_EMPRESA
Full control within a single tenant. Can create and edit users, assign roles, manage tenant settings (including white-label), and access all operational and financial modules within their company.
GERENTE_GENERAL
Multi-site visibility across the entire tenant. Can approve quotes and jobs, view all commercial and operational data across every site, and access tenant-level audit logs. Has cross-site access by default.
DIR_COMERCIAL
Commercial pipeline management. Creates and edits clients and requirements, manages and approves quotes, and has cross-site read access to all commercial data. Cannot manage operational or financial records.
EJECUTIVO_COM
Day-to-day commercial operations. Creates clients, requirements, and quotes. Can upload documents and view inventory, but cannot approve quotes or create jobs.
DIR_OPERACIONES
Full control over the operations domain. Creates and manages jobs, manages inventory items and movements, closes jobs, and has read access to commercial records.
TECNICO_CAMPO
Field execution. Executes assigned jobs, records work activities, and logs inventory movements. Read-only access to clients and jobs assigned to them. Cannot create jobs, approve quotes, or access financial data.
AUDITOR
Read-only access to all records within the tenant, including the full audit log (
audit.view_tenant). Cannot create, edit, or delete any record. Intended for compliance and internal control functions.CLIENTE
Client portal access. Can view their own quotes, invoices, and shared documents. Can upload documents related to their own requirements. Has no access to operational, inventory, or administrative data.
Permission Matrix
The table below covers the key permission codes across the main modules. Sí = granted by default for that role; No = not granted (may be added viauser_permissions override).
| Module / Permission | SUPER_ADMIN | ADMIN_EMPRESA | GERENTE_GENERAL | DIR_COMERCIAL | EJECUTIVO_COM | DIR_OPERACIONES | TECNICO_CAMPO | AUDITOR | CLIENTE |
|---|---|---|---|---|---|---|---|---|---|
| Platform / Tenants | |||||||||
tenants.create | Sí | No | No | No | No | No | No | No | No |
tenants.view | Sí | No | No | No | No | No | No | No | No |
tenants.settings | Sí | Sí | No | No | No | No | No | No | No |
| Users & Roles | |||||||||
users.create | Sí | Sí | No | No | No | No | No | No | No |
users.edit | Sí | Sí | No | No | No | No | No | No | No |
users.permissions | Sí | Sí | No | No | No | No | No | No | No |
| Commercial / CRM | |||||||||
clients.create | No | Sí | Sí | Sí | Sí | No | No | No | No |
clients.edit | No | Sí | Sí | Sí | Sí | No | No | No | No |
clients.view | No | Sí | Sí | Sí | Sí | Sí | Sí | Sí | No |
quotes.create | No | Sí | Sí | Sí | Sí | No | No | No | No |
quotes.approve | No | No | Sí | Sí | No | No | No | No | No |
quotes.view | No | Sí | Sí | Sí | Sí | Sí | No | Sí | Sí |
| Operations | |||||||||
jobs.create | No | Sí | Sí | No | No | Sí | No | No | No |
jobs.manage | No | Sí | Sí | No | No | Sí | Sí | No | No |
jobs.close | No | No | Sí | No | No | Sí | No | No | No |
documents.upload | No | Sí | Sí | Sí | Sí | Sí | Sí | No | Sí |
documents.view | No | Sí | Sí | Sí | Sí | Sí | Sí | Sí | Sí |
| Inventory | |||||||||
items.manage | No | Sí | No | No | No | Sí | No | No | No |
inventory.movement | No | Sí | No | No | No | Sí | Sí | No | No |
inventory.view | No | Sí | Sí | Sí | Sí | Sí | Sí | Sí | No |
| Finance | |||||||||
invoices.create | No | Sí | Sí | No | No | No | No | No | No |
payments.confirm | No | Sí | Sí | No | No | No | No | No | No |
payments.view | No | Sí | Sí | Sí | No | No | No | Sí | Sí |
| Audit | |||||||||
audit.view_global | Sí | No | No | No | No | No | No | No | No |
audit.view_tenant | No | Sí | Sí | No | No | No | No | Sí | No |
Permission Resolution Cascade
At runtime, every permission check follows a deterministic three-stage cascade:granted = false, the cascade stops — even a role that would normally permit the action cannot override it.
User Exceptions (user_permissions)
The user_permissions table stores per-user permission overrides that augment or restrict what a role alone would grant:
- Grant: give a specific
EJECUTIVO_COMthequotes.approvepermission without promoting them toDIR_COMERCIAL. - Revoke: remove
inventory.viewfrom aDIR_OPERACIONESuser who should not see stock data in a particular deployment.
SUPER_ADMIN and ADMIN_EMPRESA can manage user_permissions rows (users.permissions gate).
Custom Roles
Tenants may create additional roles beyond the nine system defaults. Custom roles are stored with a non-NULL tenant_id in the roles table, scoping them to the creating tenant. System-level global roles carry tenant_id = NULL and are available to all tenants. Custom roles participate in the same three-stage permission resolution cascade as system roles.