Roles & Permissions

Overview

Roles & Permissions is the access control system in Zal Ultra that determines what users can see and do in the system. With 8 role types and hundreds of granular permissions, you can create precise access control for every user level from Admin to Retailer Staff.

Why It's Important:

• 🔐 Security - Control who can access what
• 👥 Multi-tier Access - Different permissions for each level
• 🎯 Granular Control - Module, feature, and action-level permissions
• ✅ Predefined Permissions - Auto-assigned based on role type
• 🔄 Role Copying - Duplicate roles with all permissions
• 📊 Activity Logging - Track all role changes

---

Role Types

8 Role Types

1. Admin Role (Role Type 1)
   - Full system access
   - Can manage everything
   - Cannot be created (already exists)

2. Staff Role (Role Type 2)
   - Admin's helper
   - Customizable permissions
   - Created by Admin

3. Reseller Role (Role Type 3)
   - Main distributors
   - Manage Subresellers
   - Created by Admin/Staff

4. Subreseller Role (Role Type 4)
   - Secondary distributors
   - Manage Retailers
   - Created by Reseller

5. Retailer Role (Role Type 5)
   - Direct sellers
   - Manage Subscribers
   - Created by Subreseller

6. Reseller Staff Role (Role Type 6)
   - Works under Reseller
   - Limited permissions
   - Created by Reseller

7. Subreseller Staff Role (Role Type 7)
   - Works under Subreseller
   - Limited permissions
   - Created by Subreseller

8. Retailer Staff Role (Role Type 8)
   - Works under Retailer
   - Limited permissions
   - Created by Retailer

---

How Roles & Permissions Work

Role Creation Flow

Step 1: Create Role

Admin creates role → Assigns role type → System auto-formats name
Example: "Manager" → "branch-manager"

Step 2: Predefined Permissions

System automatically assigns default permissions based on role type
Runs as background job (1 minute delay)

Step 3: Customize Permissions

Admin/Creator can add/remove permissions
Granular control over modules and features

Step 4: Assign to Users

When creating user, select role
User inherits all role permissions

---

Permission Structure

Permission Categories

1. Module Permissions

Controls access to entire modules
Example: "user_module" → Can access User Management

2. Feature Permissions

Controls specific features within modules
Example: "add_user" → Can add new users

3. Action Permissions

Controls specific actions
Example: "edit_user" → Can edit user profiles
Example: "delete_user" → Can delete users

---

Permission Modules (20+ Modules)

1. Home Dashboard

✅ home_subscriber_counter - View subscriber count
✅ home_accounting_counter - View accounting stats
✅ home_user_counter - View user count
✅ home_predictions - View predictions
✅ home_usage - View usage stats
✅ home_subscriber_expired_expiring - View expiry alerts
✅ home_sales_invoice_reports - View sales reports
✅ home_payments_reports - View payment reports

2. My Profile

✅ my_profile_module - Access my profile
✅ edit_my_profile - Edit my profile
✅ my_profile_change_photo - Change profile photo
✅ my_profile_change_password - Change password
✅ my_profile_change_role - Change my role
✅ my_profile_settings - Access profile settings

3. ISP Management (Superadmin Only)

✅ isp_module - Access ISP management
✅ add_isp - Add new ISP
✅ edit_isp - Edit ISP details
✅ delete_isp - Delete ISP
✅ isp_settings - Manage ISP settings

4. Branch Management (Superadmin Only)

✅ branch_module - Access branch management
✅ add_branch - Add new branch
✅ edit_branch - Edit branch details
✅ delete_branch - Delete branch

5. User Management

✅ user_module - Access user management
✅ add_user - Add new users
✅ edit_user - Edit user profiles
✅ delete_user - Delete users
✅ user_profile - View user profiles
✅ change_user_role - Change user roles
✅ transfer_subscriber - Transfer subscribers
✅ add_balance - Add user balance
✅ user_verification - Verify user documents
✅ user_settings - Manage user settings

6. Subscriber Management

✅ subscriber_module - Access subscriber management
✅ add_subscriber - Add new subscribers
✅ edit_subscriber - Edit subscriber profiles
✅ delete_subscriber - Delete subscribers
✅ subscriber_profile - View subscriber profiles
✅ subscriber_connection - Manage connections
✅ subscriber_disconnection - Disconnect subscribers
✅ subscriber_reconnection - Reconnect subscribers
✅ subscriber_package_change - Change packages
✅ subscriber_expiry_extend - Extend expiry
✅ subscriber_invoice - Generate invoices
✅ subscriber_payment - Record payments
✅ subscriber_verification - Verify documents
✅ subscriber_notes - Manage notes
✅ subscriber_activity_log - View activity logs

7. Allow Reseller (Subreseller/Retailer Only)

✅ allow_reseller - Permission to manage resellers
✅ allow_subreseller - Permission to manage subresellers
✅ allow_retailer - Permission to manage retailers

8. Package Management (Admin/Staff Only)

✅ package_module - Access package management
✅ add_package - Add new packages
✅ edit_package - Edit packages
✅ delete_package - Delete packages
✅ package_copy - Copy packages
✅ package_import - Import packages
✅ assign_package - Assign packages to users
✅ tax_module - Manage taxes/extra fees
✅ policy_module - Manage RADIUS policies
✅ allocation_module - Manage bandwidth allocation

9. Accounting

✅ accounting_module - Access accounting
✅ ledger_module - View ledger
✅ add_ledger - Add ledger entries
✅ edit_ledger - Edit ledger entries
✅ delete_ledger - Delete ledger entries
✅ payment_module - Manage payments
✅ add_payment - Add payments
✅ edit_payment - Edit payments
✅ delete_payment - Delete payments
✅ invoice_module - Manage invoices
✅ generate_invoice - Generate invoices
✅ edit_invoice - Edit invoices
✅ delete_invoice - Delete invoices
✅ invoice_settings - Manage invoice settings

10. Voucher Management

✅ voucher_module - Access voucher management
✅ add_voucher - Add vouchers
✅ edit_voucher - Edit vouchers
✅ delete_voucher - Delete vouchers
✅ voucher_batch - Manage voucher batches
✅ voucher_assign - Assign vouchers

11. Prepaid Card Management

✅ prepaid_card_module - Access prepaid cards
✅ add_prepaid_card - Add prepaid cards
✅ edit_prepaid_card - Edit prepaid cards
✅ delete_prepaid_card - Delete prepaid cards
✅ prepaid_card_batch - Manage batches

12. Network Management

✅ network_module - Access network management
✅ nas_module - Manage NAS devices
✅ add_nas - Add NAS devices
✅ edit_nas - Edit NAS devices
✅ delete_nas - Delete NAS devices
✅ nas_group - Manage NAS groups
✅ mikrotik_module - Mikrotik integration
✅ radius_module - RADIUS management
✅ online_users - View online users
✅ disconnect_user - Disconnect users

13. Inventory Management

✅ inventory_module - Access inventory
✅ product_module - Manage products
✅ add_product - Add products
✅ edit_product - Edit products
✅ delete_product - Delete products
✅ stock_module - Manage stock
✅ purchase_module - Manage purchases
✅ sales_module - Manage sales

14. Department Management (Admin/Staff Only)

✅ department_module - Access departments
✅ add_department - Add departments
✅ edit_department - Edit departments
✅ delete_department - Delete departments

15. Area Management (Admin/Staff Only)

✅ area_module - Access area management
✅ add_area - Add areas
✅ edit_area - Edit areas
✅ delete_area - Delete areas
✅ area_group - Manage area groups

16. Ticket Management

✅ ticket_module - Access tickets
✅ add_ticket - Create tickets
✅ edit_ticket - Edit tickets
✅ delete_ticket - Delete tickets
✅ ticket_reply - Reply to tickets
✅ ticket_assign - Assign tickets
✅ ticket_close - Close tickets
✅ ticket_priority - Change priority

17. Notice Management (Admin/Staff Only)

✅ notice_module - Access notices
✅ add_notice - Add notices
✅ edit_notice - Edit notices
✅ delete_notice - Delete notices
✅ notice_publish - Publish notices

18. Note Management

✅ note_module - Access notes
✅ add_note - Add notes
✅ edit_note - Edit notes
✅ delete_note - Delete notes
✅ private_note - Manage private notes
✅ public_note - Manage public notes

19. SMS Management (Admin/Staff Only)

✅ sms_module - Access SMS
✅ send_sms - Send SMS
✅ sms_template - Manage templates
✅ sms_history - View SMS history
✅ sms_settings - SMS settings

20. Reports

✅ reports_module - Access reports
✅ subscriber_reports - Subscriber reports
✅ accounting_reports - Accounting reports
✅ payment_reports - Payment reports
✅ invoice_reports - Invoice reports
✅ user_reports - User reports
✅ network_reports - Network reports
✅ activity_log - View activity logs

---

Step-by-Step Guide

Step 1: Access Roles Page

Navigate:

1. Go to User Management menu
2. Click Roles & Permissions
3. View all existing roles

Permission Required:

• ✅ Admin can manage roles
• ✅ Staff can manage roles (if permission granted)
• ❌ Resellers CANNOT manage Admin/Staff roles
• ✅ Resellers can manage their own staff roles

---

Step 2: Create New Role

Click "Add Role" Button

1. Role Name (Required)

Input:

Example: "Manager"
Result: "branch-manager" (auto-formatted)

Rules:

- Auto-formatted (lowercase, no spaces)
- Branch prefix added automatically
- Use descriptive names

Examples:

✅ "Sales Manager" → "branch-salesmanager"
✅ "Support Staff" → "branch-supportstaff"
✅ "Network Admin" → "branch-networkadmin"

---

2. Role Type (Required)

Select Role Type:

For Admin/Staff:

Option 1: Admin (1) - Cannot create
Option 2: Staff (2) ✅
Option 3: Reseller (3) ✅

For Reseller:

Option 1: Subreseller (4) ✅
Option 2: Reseller Staff (6) ✅

For Subreseller:

Option 1: Retailer (5) ✅
Option 2: Subreseller Staff (7) ✅

For Retailer:

Option: Retailer Staff (8) ✅

Important:

⚠️ Admin/Staff CANNOT create Staff roles (6, 7, 8)
⚠️ Role type determines default permissions
⚠️ Cannot change role type after creation

---

Step 3: Wait for Predefined Permissions

Automatic Process:

1. Role created
2. Background job queued (1 minute delay)
3. Predefined permissions assigned
4. Role ready for customization

Predefined Permissions Include:

✅ Basic module access
✅ Common features
✅ Role-appropriate actions

---

Step 4: Customize Permissions

Click "Set Permission" on Role

Permission Categories:

Home Dashboard

☐ Subscriber Counter
☐ Accounting Counter
☐ User Counter
☐ Predictions
☐ Usage Stats
☐ Expired/Expiring Alerts
☐ Sales/Invoice Reports
☐ Payment Reports

My Profile

☐ Module Access
☐ Edit Profile
☐ Change Photo
☐ Change Password
☐ Change Role
☐ Profile Settings

User Management

☐ Module Access
☐ Add User
☐ Edit User
☐ Delete User
☐ User Profile
☐ Change Role
☐ Transfer Subscriber
☐ Add Balance
☐ Verification

Subscriber Management

☐ Module Access
☐ Add Subscriber
☐ Edit Subscriber
☐ Delete Subscriber
☐ Subscriber Profile
☐ Connection/Disconnection
☐ Package Change
☐ Expiry Extend
☐ Invoice Generation
☐ Payment Recording

Package Management (Admin/Staff Only)

☐ Module Access
☐ Add Package
☐ Edit Package
☐ Delete Package
☐ Assign Package
☐ Tax/Extra Fee
☐ Policy Management
☐ Allocation Management

Accounting

☐ Module Access
☐ Ledger Management
☐ Payment Management
☐ Invoice Management
☐ Invoice Settings

Network Management

☐ Module Access
☐ NAS Management
☐ Mikrotik Integration
☐ RADIUS Management
☐ Online Users
☐ Disconnect Users

And many more modules...

---

Step 5: Save Permissions

Click "Save Permissions"

Success Response:

Permissions updated successfully
Role ready to assign to users

---

Step 6: Assign Role to Users

When Creating/Editing User:

1. Select role from dropdown
2. Only matching role types shown
3. User inherits all permissions
4. Can change role later

---

Role Management Features

1. Copy Role

Purpose: Duplicate role with all permissions

How to Use:

1. Click "Copy" on existing role
2. System creates new role with timestamp
3. All permissions copied
4. Rename if needed

Example:

Original: "branch-manager"
Copy: "branch-manager143052"
Result: Exact copy with all permissions ✅

Use Cases:

✅ Create similar roles quickly
✅ Test permission changes
✅ Backup role configuration

---

2. Edit Role

Purpose: Update role name and type

How to Use:

1. Click "Edit" on role
2. Change name (type cannot change)
3. Save changes

Limitations:

❌ Cannot change role type
❌ Cannot edit if users assigned
✅ Can rename anytime

---

3. Delete Role

Purpose: Remove unused roles

Rules:

✅ Can delete if no users assigned
❌ Cannot delete if users exist
❌ Cannot delete system roles

How to Delete:

1. Ensure no users have this role
2. Click "Delete" on role
3. Confirm deletion
4. Role permanently removed

---

Who Can Manage What

Admin/Staff Permissions

Admin Can:

✅ Create Admin Staff roles (2)
✅ Create Reseller roles (3)
✅ Manage all permissions
✅ View all roles
✅ Copy any role
✅ Delete unused roles

Admin CANNOT:

❌ Create Reseller Staff roles (6, 7, 8)
❌ Delete roles with users

Staff Can:

✅ Based on assigned permissions
✅ Usually limited role management

---

Reseller Permissions

Reseller Can:

✅ Create Reseller Staff roles (6)
✅ Manage own staff roles
✅ Set staff permissions
✅ View own roles only

Reseller CANNOT:

❌ Create Admin/Staff roles
❌ Create Reseller roles
❌ Manage Admin/Staff roles
❌ View Admin/Staff roles

---

Subreseller Permissions

Subreseller Can:

✅ Create Subreseller Staff roles (7)
✅ Manage own staff roles
✅ Set staff permissions

Subreseller CANNOT:

❌ Create any other role types
❌ Manage parent roles

---

Retailer Permissions

Retailer Can:

✅ Create Retailer Staff roles (8)
✅ Manage own staff roles
✅ Set staff permissions

Retailer CANNOT:

❌ Create any other role types
❌ Manage parent roles

---

Common Use Cases

Use Case 1: Create Sales Staff Role

Scenario: Admin wants sales-focused staff

Steps:

1. Create role: "Sales Manager"
2. Role Type: Staff (2)
3. Set Permissions:
   ✅ Subscriber Module
   ✅ Add Subscriber
   ✅ Edit Subscriber
   ✅ Subscriber Profile
   ✅ Package Change
   ✅ Invoice Generation
   ✅ Payment Recording
   ❌ Delete Subscriber
   ❌ User Management
   ❌ Package Management
4. Save permissions
5. Assign to sales staff

Result:

✅ Can manage subscribers
✅ Can process sales
✅ Can record payments
❌ Cannot delete data
❌ Cannot manage users

---

Use Case 2: Create Support Staff Role

Scenario: Admin wants support-focused staff

Steps:

1. Create role: "Support Staff"
2. Role Type: Staff (2)
3. Set Permissions:
   ✅ Subscriber Module
   ✅ Subscriber Profile
   ✅ Connection/Disconnection
   ✅ Ticket Module
   ✅ Add Ticket
   ✅ Reply Ticket
   ✅ Close Ticket
   ✅ Network Module
   ✅ Online Users
   ❌ Delete Subscriber
   ❌ Payment Management
4. Save permissions
5. Assign to support staff

Result:

✅ Can view subscribers
✅ Can manage connections
✅ Can handle tickets
✅ Can check online users
❌ Cannot handle payments
❌ Cannot delete data

---

Use Case 3: Create Reseller Staff Role

Scenario: Reseller needs helper

Steps:

1. Login as Reseller
2. Create role: "Reseller Assistant"
3. Role Type: Reseller Staff (6)
4. Set Permissions:
   ✅ Subscriber Module
   ✅ Add Subscriber
   ✅ Subscriber Profile
   ✅ Invoice Generation
   ❌ Delete Subscriber
   ❌ User Management
   ❌ Accounting
5. Save permissions
6. Assign to staff

Result:

✅ Can add subscribers
✅ Can view profiles
✅ Can generate invoices
❌ Cannot delete
❌ Cannot manage users
❌ Cannot access accounting

---

Use Case 4: Copy and Modify Role

Scenario: Need similar role with slight changes

Steps:

1. Find existing role: "Sales Manager"
2. Click "Copy"
3. New role created: "sales-manager143052"
4. Edit name to: "Senior Sales Manager"
5. Modify permissions:
   ✅ Add: Delete Subscriber
   ✅ Add: User Management (view only)
   ✅ Keep: All sales permissions
6. Save changes

Result:

✅ New role with enhanced permissions
✅ Original role unchanged
✅ Quick role creation

---

Best Practices

1. Role Planning

Before Creating Roles:

✅ Define job responsibilities
✅ List required modules
✅ Identify needed actions
✅ Consider security implications
✅ Document role purpose

Role Design Principles:

✅ Least privilege - Give minimum needed
✅ Separation of duties - Split sensitive tasks
✅ Clear naming - Descriptive role names
✅ Regular review - Audit permissions

---

2. Permission Assignment

Permission Guidelines:

✅ Start with minimal permissions
✅ Add permissions as needed
✅ Test with real scenarios
✅ Document permission rationale
✅ Review regularly

Security Best Practices:

✅ Limit delete permissions
✅ Restrict financial access
✅ Control user management
✅ Monitor admin access
✅ Audit permission changes

---

3. Role Naming

Naming Conventions:

✅ Use descriptive names
✅ Include job function
✅ Indicate level if needed
✅ Keep consistent format

Examples:

✅ "Sales Manager"
✅ "Support Staff"
✅ "Network Admin"
✅ "Billing Clerk"
✅ "Senior Technician"

Avoid:

❌ "Role1", "Role2"
❌ "Test Role"
❌ "Temp"
❌ Generic names

---

4. Testing Roles

Test Process:

1. Create test user
2. Assign new role
3. Login as test user
4. Verify access
5. Test all permissions
6. Check restrictions
7. Adjust as needed

Test Checklist:

✅ Can access assigned modules
✅ Can perform allowed actions
✅ Cannot access restricted areas
✅ Cannot perform forbidden actions
✅ UI shows/hides correctly

---

5. Role Maintenance

Regular Tasks:

✅ Review role usage
✅ Update permissions
✅ Remove unused roles
✅ Audit permission changes
✅ Document modifications

Monitoring:

✅ Track role assignments
✅ Monitor permission usage
✅ Review activity logs
✅ Check for violations

---

Troubleshooting

Issue 1: Cannot Create Reseller Staff Role

Problem:

Error: Not Eligible To This Type Of Role

Cause:

Admin/Staff trying to create Staff roles (6, 7, 8)

Solution:

Admin/Staff can only create:
- Staff roles (2)
- Reseller roles (3)

Reseller Staff roles (6, 7, 8) must be created by:
- Reseller (creates 6)
- Subreseller (creates 7)
- Retailer (creates 8)

---

Issue 2: Cannot Delete Role

Problem:

Error: Not Eligible To Delete

Cause:

Role has users assigned

Solution:

1. Find all users with this role
2. Change their roles first
3. Then delete role
4. Or keep role if still needed

---

Issue 3: Permissions Not Showing

Problem:

User has role but cannot access features

Causes & Solutions:

Cause 1: Permissions Not Set

Solution:
1. Go to role permissions
2. Enable required permissions
3. Save changes
4. User may need to logout/login

Cause 2: Wrong Role Type

Solution:
Check role type matches user profile type
Profile Type 3 (Reseller) needs Role Type 3

Cause 3: Module Disabled

Solution:
Check if module enabled in settings
Some modules can be disabled globally

---

Issue 4: Predefined Permissions Not Applied

Problem:

New role has no permissions

Cause:

Background job not completed yet

Solution:

Wait 1-2 minutes after role creation
Predefined permissions assigned via queue
Check again after delay
Or manually set permissions

---

Issue 5: Cannot Copy Role

Problem:

Copy button not working or error

Causes & Solutions:

Cause 1: Permission Issue

Solution:
Check if you have permission to copy roles
Admin/Staff usually can copy
Resellers may have restrictions

Cause 2: Role Type Restriction

Solution:
Cannot copy Staff roles (6, 7, 8) as Admin
Create new role instead

---

Summary

Roles & Permissions is the security foundation of Zal Ultra!

✅ Key Takeaways:

1. 8 Role Types - Admin to Retailer Staff
2. Granular Permissions - Module, feature, action level
3. Predefined Permissions - Auto-assigned based on role type
4. Role Copying - Duplicate roles with permissions
5. Hierarchy Enforcement - Role type restrictions
6. Activity Logging - All changes tracked

✅ Role Types:

1. Admin (1)
2. Staff (2)
3. Reseller (3)
4. Subreseller (4)
5. Retailer (5)
6. Reseller Staff (6)
7. Subreseller Staff (7)
8. Retailer Staff (8)

✅ Permission Categories:

✅ Home Dashboard
✅ My Profile
✅ User Management
✅ Subscriber Management
✅ Package Management
✅ Accounting
✅ Network Management
✅ Inventory
✅ Tickets
✅ Reports
✅ And 10+ more modules

✅ Best Practices:

✅ Plan roles before creating
✅ Use least privilege principle
✅ Test roles thoroughly
✅ Document permissions
✅ Review regularly
✅ Monitor usage
✅ Audit changes

✅ Configuration Checklist:

✅ Define role purpose
✅ Choose role type
✅ Create role with descriptive name
✅ Wait for predefined permissions
✅ Customize permissions
✅ Test with test user
✅ Document role details
✅ Assign to users
✅ Monitor usage
✅ Review and update regularly

Perfect for ISPs needing secure, granular access control across multi-tier organizations! 🔐