Permission matrix
This page lists the seeded roles and the permissions each one grants. See Roles model for how these combine in real users.
Permission format
Permissions are written action_resource, e.g. read_matter, create_invoice. The four actions are create, read, update, delete.
Base role
staff
Every user has this.
read_user,update_user(themselves)read_notification,update_notificationread_calendar_event,create_calendar_event,update_calendar_event,delete_calendar_eventread_task
Module roles
HR
| Role | Permissions |
|---|---|
hr_worker | read_employee, read_leave, read_appraisal, read_next_of_kin, create_leave, update_leave |
hr_supervisor | All read on HR resources + update_employee, create_leave, update_leave, create_appraisal, create_next_of_kin, update_next_of_kin |
hr_manager | Full CRUD on employee, leave, appraisal, next_of_kin |
CRM
| Role | Permissions |
|---|---|
crm_worker | read_contact, read_account, read_prospect, read_complaint, read_client |
crm_supervisor | Create + read + update on contact, account, prospect, complaint; read_client, create_client |
crm_manager | Full CRUD on contact, account, prospect, complaint, client |
Matter
| Role | Permissions |
|---|---|
matter_worker | Read on matter, brief, activity, task, entry, spend, document, important_date, trial, evidence, matter_team, timeline |
matter_supervisor | Read everything above, plus create/update on brief, activity, task, entry, spend, document, important_date, evidence, matter_team, timeline, and update_matter, update_trial |
matter_manager | Full CRUD on all matter-related resources |
Admin
| Role | Permissions |
|---|---|
admin_worker | Limited admin read |
admin_supervisor | Admin read + update |
admin_manager | Full admin |
Composite roles
general_manager
Inherits hr_manager, crm_manager, matter_manager, admin_manager — effective full control across operations.
administrator
- Full CRUD on
user,role,permission
Legal title roles (no intrinsic permissions)
These are descriptive labels used for display and reporting. They grant no permissions on their own. To give them meaningful access, pair with an appropriate module role.
clerkassociate,senior_associatepartner,senior_partner,managing_partneraccount_managerfront_desk_executive
Example: A user with only
staff+partnercan do no more than a user with onlystaff. To actually work on matters, a partner needs to also havematter_supervisorormatter_manager. This is intentional — it lets firms decide how much authority each partner has in the system.