RBAC Admin Guide (As-Is Documentation)¶
This document outlines the Role-Based Access Control (RBAC) and Subscription Plan restrictions currently implemented in the system as of March 2026.
1. Subscription Plans & Module Access¶
Module access is defined at the plan level. If a module is not included in the plan, even a user with the correct role will be required to upgrade to access the features.
| Module Name | Backend Key | Free Plan | Professional | Premium |
|---|---|---|---|---|
| Sales | sales |
✅ | ✅ | ✅ |
| Purchases | purchase |
✅ | ✅ | ✅ |
| Inventory | inventory |
✅ | ✅ | ✅ |
| Accounts | accounts |
✅ | ✅ | ✅ |
| CRM | crm |
❌ | ✅ | ✅ |
| Point of Sale | pos |
❌ | ✅ | ✅ |
| HRMS | hrms |
❌ | ✅ | ✅ |
| Payroll | payroll |
❌ | ✅ | ✅ |
| AI Office | ai-office |
❌ | ❌ | ✅ |
| AI Scanning | ai-scan |
❌ | ✅ | ✅ |
2. Role-Based Menu Access Matrix¶
The following tables show which menus are visible and accessible based on the User Role and the Subscription Plan.
[!NOTE] Menus like Reports, Approvals, and Admin Dashboard are not strictly limited by Subscription Plan keys but are heavily filtered by User Roles.
2.1 Free Plan¶
Limited to basic ERP modules.
| Menu Item | Admin | Manager | Accountant | HR-Manager | Salesman | Storekeeper | POS-User |
|---|---|---|---|---|---|---|---|
| Quick Start | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
| AI Office | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ |
| Import Data | ✅ | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ |
| CRM | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ |
| Sales | ✅ | ✅ | ❌ | ❌ | ✅ | ❌ | ✅ |
| Purchases | ✅ | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ |
| Inventory | ✅ | ✅ | ❌ | ❌ | ❌ | ✅ | ❌ |
| Accounts | ✅ | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ |
| HRMS & Payroll | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ |
| Self Service | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ |
| Reports | ✅ | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ |
| Approvals | ✅ | ✅ | ✅ | ✅ | ❌ | ❌ | ❌ |
| Manager Ctrl | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ |
| Admin Panel | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ |
2.2 Professional Plan¶
Includes CRM, POS, HRMS, and Payroll.
| Menu Item | Admin | Manager | Accountant | HR-Manager | Salesman | Storekeeper | POS-User |
|---|---|---|---|---|---|---|---|
| Quick Start | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
| AI Office | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ |
| Import Data | ✅ | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ |
| CRM | ✅ | ✅ | ❌ | ❌ | ✅ | ❌ | ❌ |
| Sales | ✅ | ✅ | ❌ | ❌ | ✅ | ❌ | ✅ |
| Purchases | ✅ | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ |
| Inventory | ✅ | ✅ | ❌ | ❌ | ❌ | ✅ | ❌ |
| Accounts | ✅ | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ |
| HRMS & Payroll | ✅ | ✅ | ✅ | ✅ | ✅ | ❌ | ❌ |
| Self Service | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
| Reports | ✅ | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ |
| Approvals | ✅ | ✅ | ✅ | ✅ | ❌ | ❌ | ❌ |
| Manager Ctrl | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ |
| Admin Panel | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ |
2.3 Premium Plan¶
Full suite including AI Office and whatsapp.
| Menu Item | Admin | Manager | Accountant | HR-Manager | Salesman | Storekeeper | POS-User |
|---|---|---|---|---|---|---|---|
| Quick Start | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
| AI Office | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ❌ |
| Import Data | ✅ | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ |
| CRM | ✅ | ✅ | ❌ | ❌ | ✅ | ❌ | ❌ |
| Sales | ✅ | ✅ | ❌ | ❌ | ✅ | ❌ | ✅ |
| Purchases | ✅ | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ |
| Inventory | ✅ | ✅ | ❌ | ❌ | ❌ | ✅ | ❌ |
| Accounts | ✅ | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ |
| HRMS & Payroll | ✅ | ✅ | ✅ | ✅ | ✅ | ❌ | ❌ |
| Self Service | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
| Reports | ✅ | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ |
| Approvals | ✅ | ✅ | ✅ | ✅ | ❌ | ❌ | ❌ |
| Manager Ctrl | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ |
| Admin Panel | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ |
3. Key Feature Ownership Logic¶
- Admin Only: User Management, Company Profile, Subscription Billing, Localization settings.
- Manager Only: Manager Control menu (specific dashboards for oversight).
- Accountant Only: Direct access to Purchases, Accounts, and Reports (shared with Manager/Admin).
- Storekeeper Only: Inventory operations (Receive/Deliver/Transfers) but restricted from Sales/Accounts.
- POS User: Dedicated interface for Sales (POS) and limited Commission tracking.
- HR-Manager: HRMS Dashboard, Leave Approvals, Performance, and Offboarding.
4. Technical Mapping (for Reference)¶
| Module Key | Frontend Route | Backend Serializer Access |
|---|---|---|
sales |
/sales/* |
Invoiced, Orders, Customers |
purchase |
/purchases/* |
Vendors, Bills, POs |
inventory |
/inventory/* |
Stock, Products, Warehouses |
accounts |
/accounting/* |
CoA, Journal, Payments |
crm |
/crm/* |
Leads, Pipeline |
pos |
/pos |
POS Interface |
hrms |
/hrms/* |
Employees, Leaves, Performance |
payroll |
/payroll/* |
Run Payroll, My Payslips |
ai-office |
/ai-office/* |
AI Agents, whatsapp |
ai-office |
/ai-office/* |
AI Agents, whatsapp |
5. Module Key Naming Convention & Known Conflicts¶
[!IMPORTANT] This section is mandatory reading for any developer or AI agent modifying subscription plans or adding new modules.
Canonical Module Keys (Single Source of Truth)¶
| Canonical Key | Django App | Frontend URL Prefix | Sidebar key: |
|---|---|---|---|
accounts |
accounts/ |
/accounting/* |
accounts |
sales |
sales/ |
/sales/* |
sales |
purchase |
purchases/ |
/purchases/* |
purchase |
inventory |
inventory/ |
/inventory/* |
inventory |
crm |
crm/ |
/crm/* |
crm |
pos |
pos/ |
/pos |
pos |
hrms |
hrms/ |
/hrms/* |
hrms |
payroll |
payroll/ |
/payroll/* |
payroll |
ai-office |
ai_engine/ |
/ai-office/* |
ai-office |
ai-scan |
ai_engine/ |
/ai-office/scan |
ai-scan |
Known Naming Conflict: accounts vs accounting¶
The accounts module has a confusing three-way naming:
- Django app name: accounts
- URL prefix: /accounting/ (e.g. /accounting/journal-entries)
- Chart of Accounts route: /accounting/accounts (route within accounting)
- Canonical module key: accounts ← use this everywhere
This is a legacy naming inconsistency that is intentionally left as-is to avoid a breaking migration.
It is fully handled in code — never needs manual workarounds:
- HasModuleAccess normalizes accounting → accounts ✅
- SubscriptionPlanSerializer.MODULE_ALIAS_MAP normalizes on API exit ✅
- usePlanAccess.ts keyAliases map normalizes on frontend ✅
Maintenance Rule¶
[!WARNING] When adding a new module, you MUST update ALL THREE alias maps to keep them in sync: 1.
backend/subscriptions/serializers.py→SubscriptionPlanSerializer.MODULE_ALIAS_MAP2.backend/core/permissions.py→HasModuleAccess.module_map3.frontend/src/hooks/usePlanAccess.ts→keyAliases(andModuleNametype)Failure to update all three will cause inconsistent access control between the UI and the API.