Appearance
Member Access Roles
This page explains every role in the G3N Retail Stack, what it enables, and how it interacts with ownership, facility grants, and cross-service access. Use this as the definitive reference when assigning permissions to members, service accounts, or role profiles.
For the quick-reference catalog see Role Matrix. For governance rules see Roles & Governance.
How roles work
Every API call in the stack carries an identity (session or API key) and an org context. The auth layer resolves the caller's effective roles from three sources, merged together:
- Role profile — a named bundle of grants (e.g.,
store_manager) assigned to the member record. Expands into individual role strings. - Explicit grants — individual role strings added directly to the member record (e.g.,
['loyalty_admin', 'giftcard_admin']). - Owner flag — if the caller is an active org owner, they bypass all role checks automatically.
The final effective role list is the union of all three sources, deduplicated. A caller only needs one of the required roles to pass a check — roles are OR-combined, not AND-combined.
Example: assembling effective roles
Maria is a member of AURORA3 with:
- Role profile:
store_manager - Explicit grants:
['loyalty_admin']
Her effective roles are:
crm_view, crm_manage, ics_view, ics_operator,
scm_view, scm_order, scm_fulfillment, scm_returns,
ppm_view, pcm_view, slc_view, ← from store_manager profile
loyalty_admin ← from explicit grantMaria can create orders (scm_order), receive shipments (ics_operator), view pricing (ppm_view), manage customers (crm_manage), and administer loyalty programs (loyalty_admin). She cannot edit products (needs pvm_edit), publish merchandising content (needs pmc_publish), or manage integrations (needs integration_admin).
Owner access
Owners are a special class of member. An active owner (state === 'active') passes every role check in every service, regardless of which roles are required. This bypass is logged as authorized_by: 'owner_override' in the request context for audit purposes.
What owners can do that members cannot
- OFM governance: create orgs, invite/remove owners, set primary owner, change org status, manage all members and teams without delegation roles.
- Facility lifecycle: doom facilities, zones, and org-scoped resources.
- Sales channel activation: activate draft channels, doom active channels.
- All service operations: owners implicitly satisfy any role requirement —
ics_cost_admin,crm_privacy_admin,ppm_approver, etc.
Primary owner
One owner is designated primary. Only the primary owner can:
- Transfer primary ownership to another owner.
- Set org-wide delegation defaults and policy guardrails.
- Configure valuation, landed-cost, tender liability, and procurement policies.
- Enable or disable loyalty programs and influencer payout policies.
Example
Jake is the primary owner of NEXGEN3. He calls POST /ics/adjustment/create which normally requires ics_adjust. Jake has no ICS roles explicitly granted, but the auth layer sees is_owner: true, skips the role check, logs owner_override, and allows the call. The adjustment record's request_context.authorized_by field reads 'owner_override'.
Cross-service roles
These roles span multiple services and are not tied to a single service prefix.
owner
Implicitly granted to active org owners. Bypasses all role checks. See Owner access above.
finance_audit
Purpose: Org-wide read-only access for financial auditing and compliance review.
What it enables (read-only across all these services):
- ICS: View stock positions, transfers, counts, adjustments, serial numbers, ATP queries, demand signals, snapshots. Also grants cost visibility (equivalent to
cost_view). - PPM: View all price lists, promotions, coupons, subscription plans, rental rates, FX rates, trade agreements, commission rules, dynamic rules, policies.
- SCM: View orders, returns, refunds, quotes, backorders, special orders, tills, carrier configs, receipts, warranty configs.
- PCM: View purchase orders, worksheets, receipts, invoices, vendor performance, consignment records, RTV records.
- CRM: View customers, accounts, contacts, tax exemptions, loyalty transactions, gift cards, subscriptions, warranties.
- Influencer: View profiles, campaigns, discount tiers, earnings, disputes, payouts, statements.
- Accounting: View accounting events, exports, batches, storage usage, rollups, invoices, AR aging, commissions, consignment settlements, franchise royalties.
What it does NOT enable: No write operations in any service. No OFM, UAS, USM, MRS, PVM, PMC, IPM, RBS, UTL, OPS, UCP, or SLC access.
Example: An external auditor is given a member record with finance_audit as their only grant. They can pull financial reports from Accounting, review order history in SCM, inspect inventory valuations in ICS, and verify pricing in PPM — all read-only. They cannot modify any record, create any entity, or access product definitions, integrations, or org settings.
cost_view
Purpose: Facility-scoped cost visibility for inventory records.
What it enables:
- ICS: When viewing stock positions, variant cost fields (
unit_cost,landed_cost,avg_cost) are included in the response. Withoutcost_view, these fields are omitted.
What it does NOT enable: No write access anywhere. Does not grant read access to endpoints — the caller still needs ics_view or another ICS read role. cost_view only controls whether cost columns are visible in the response payload.
Example: A warehouse manager has ics_view and ics_operator but not cost_view. When they call GET /ics/stock/get, they see quantity, location, and status — but cost fields are blank. A finance team member with ics_view + cost_view sees the full record including costs.
Role profiles
Role profiles are predefined bundles of grants designed for common retail positions. They are assigned to a member's role_profile_id field and expand into individual role strings at auth time. Profile grants merge with any explicit grants on the same member.
store_manager
Grants: crm_view, crm_manage, ics_view, ics_operator, scm_view, scm_order, scm_fulfillment, scm_returns, ppm_view, pcm_view, slc_view
What this person can do:
- View and manage customers, issue loyalty points, manage gift cards (CRM)
- View stock levels, receive goods, create zones and bins, putaway, pick, pack, ship (ICS)
- Create and manage orders, process returns, fulfill orders (SCM)
- View pricing and promotions (PPM — read-only, cannot change prices)
- View purchase orders (PCM — read-only, cannot create POs)
- View sales channel sync status (SLC — read-only)
What this person cannot do:
- Edit products or taxonomy (needs
pvm_edit) - Approve discounts beyond threshold (needs
scm_discount_approve) - Adjust inventory outside of normal operations (needs
ics_adjust) - Manage pricing or promotions (needs
ppm_price_adminorppm_promo_admin) - Access accounting, integrations, or event bus
store_associate
Grants: crm_view, crm_manage, scm_view, scm_order, ics_view, ppm_view
What this person can do:
- View and manage customers (CRM)
- Create orders and process sales (SCM)
- View inventory levels (ICS — read-only, cannot receive or move stock)
- View pricing and promotions (PPM — read-only)
What this person cannot do:
- Receive shipments, manage bins, or do warehouse operations (needs
ics_operator) - Fulfill or ship orders (needs
scm_fulfillment) - Process returns (needs
scm_returns) - Anything in PCM, PVM, PMC, Influencer, Accounting, etc.
cashier
Grants: crm_view, scm_view, scm_order, ppm_view
What this person can do:
- Look up customers (CRM — read-only, cannot edit customer records)
- Create and process sales orders (SCM)
- View pricing to verify prices during checkout (PPM — read-only)
What this person cannot do:
- Manage customers (needs
crm_manage) - View or manage inventory (needs
ics_view) - Process returns (needs
scm_returns) - Anything beyond basic point-of-sale operations
warehouse_staff
Grants: ics_view, ics_operator, ics_count
What this person can do:
- View stock levels and positions (ICS)
- Receive goods, putaway, pick, pack, ship, create zones and bins (ICS)
- Perform and submit inventory counts (ICS)
What this person cannot do:
- Approve transfers between facilities (needs
ics_transfer_approve) - Make inventory adjustments (needs
ics_adjust) - Plan replenishment (needs
ics_planner) - Access any non-ICS service
warehouse_manager
Grants: ics_view, ics_operator, ics_planner, ics_adjust, ics_count, ics_transfer_approve, pcm_view, pcm_buyer
What this person can do:
- Everything
warehouse_staffcan do, plus: - Approve inter-facility transfers (ICS)
- Make inventory adjustments (ICS)
- Plan and suggest replenishment (ICS)
- View purchase orders and create new POs (PCM)
What this person cannot do:
- Approve purchase orders (needs
pcm_po_approve) - View cost data (needs
cost_view) - Access sales, customers, pricing, products, or other non-warehouse services
buyer
Grants: pvm_view, pcm_view, pcm_buyer, ppm_view, ics_view
What this person can do:
- View product catalog, vendors, and manufacturers (PVM — read-only)
- Create and submit purchase orders, record receipts, create worksheets (PCM)
- View pricing to evaluate costs (PPM — read-only)
- View stock levels to identify replenishment needs (ICS — read-only)
What this person cannot do:
- Edit products or vendors (needs
pvm_editorpvm_supplier_admin) - Approve POs (needs
pcm_po_approve) - Manage inventory directly (needs
ics_operator)
finance_viewer
Grants: finance_audit, acct_view, cost_view
What this person can do:
- Read-only access across ICS, PPM, SCM, PCM, CRM, Influencer, and Accounting (via
finance_audit) - View accounting events, exports, AR aging, commissions (via
acct_view) - See inventory cost data in ICS responses (via
cost_view)
What this person cannot do:
- Write anything in any service
- Create accounting exports (needs
acct_export_admin) - Manage AR invoices (needs
ar_admin)
product_admin
Grants: pvm_view, pvm_edit, pvm_approve, pmc_view, pmc_publish, slc_manage
What this person can do:
- View and edit the entire product catalog: styles, variants, taxonomy, identifiers, barcodes, kits, links, recommendations (PVM)
- Approve product changes (PVM)
- View and publish merchandising content: packs, publish runs, online/offline control, pointers (PMC)
- Manage sales channel listings: create channels, sync variants, force sync, bind facilities (SLC)
What this person cannot do:
- Manage vendors or manufacturers (needs
pvm_supplier_admin) - Access inventory, sales, procurement, pricing, or customer data
vendor_admin
Grants: pvm_view, pvm_supplier_admin, pcm_view, pcm_buyer, pcm_po_approve
What this person can do:
- View the product catalog (PVM — read-only for products)
- Create, update, and manage vendors and manufacturers (PVM)
- Create, submit, and approve purchase orders (PCM)
- View and manage procurement worksheets, receipts, invoices (PCM)
What this person cannot do:
- Edit products (needs
pvm_edit) - Access inventory, sales, pricing, or customer data
Service-specific roles
UAS (User Account Service)
| Role | Type | What it enables |
|---|---|---|
uas_operator | Reserved | Internal use only. Not enforced in API Gateway. Reserved for future operator-level actions (e.g., bulk user management). |
UAS has no member-facing roles. All operations are either public (email/passcode authentication) or IAM-gated (direct Lambda invocation).
USM (User Session Management)
| Role | Type | What it enables |
|---|---|---|
usm_operator | Reserved | Internal use only. Not enforced in API Gateway. Reserved for future operator-level session management. |
service_account_admin | Active | Create, manage, and revoke service accounts and API keys. Owner-only in current implementation (the role exists for future delegation). |
USM operations split into two categories: session operations (any authenticated user) and service account/API key operations (owner-only).
OFM (Organization and Facility Management)
| Role | What it enables | Example |
|---|---|---|
ofm_view | Read org and facility data. Currently accepted on service accounts for read scoping. | A reporting tool's API key with ofm_view can list facilities and members but cannot modify anything. |
ofm_member_admin | Add members, create invitations, change member state, assign/detach members to facilities. | An HR manager with ofm_member_admin can onboard new staff, assign them to stores, and deactivate departing employees — without needing owner access. |
ofm_team_admin | Create, update, and manage teams. Add/remove team members. | A regional manager with ofm_team_admin can create shift teams, assign staff to teams, and reorganize team structures across their facilities. |
ofm_channel_admin | Change sales channel status (activate, pause, deactivate). Set inventory sources for sales channels. | A channel operations manager with ofm_channel_admin can activate a new Shopify channel or pause a channel during maintenance — without needing to be an owner. |
Facility-scoped operations: Timesheet, shift, and station operations require a facility grant (the member must be assigned to the logical facility) but do not require a named role. If you are assigned to a facility, you can clock in/out, manage your shifts, and use stations at that facility.
Owner-only operations: Org creation, org status changes, owner management (add/remove/set-primary), and bulk imports remain owner-only and cannot be delegated via roles.
MRS (Metarecord Service)
| Role | What it enables | Example |
|---|---|---|
mrs_reader | Read metarecords: get, list, head, meta. | A reporting dashboard with mrs_reader can retrieve stored payloads and metadata but cannot create or modify records. |
mrs_writer | All mrs_reader capabilities plus: create/put records, complete records, add/remove tags, doom records, set TTL. | A service account with mrs_writer can store order snapshots, attach tags for categorization, and set expiry for temporary records. |
mrs_operator | Reserved | Internal use only. Not enforced in API Gateway. |
MRS is a general-purpose payload store. Read operations accept either mrs_reader or mrs_writer. Write operations require mrs_writer.
PVM (Product & Vendor Management)
| Role | What it enables | Example |
|---|---|---|
pvm_view | Read all product data: styles, variants, taxonomy (divisions, departments, categories, seasons), vendors, manufacturers, identifiers, barcodes, kits, links, recommendations. Search, resolve, and comment-read. | A store associate with pvm_view can look up product details, scan barcodes, and browse the catalog — but cannot change anything. |
pvm_edit | All pvm_view capabilities plus: create/update/status-change styles, variants, taxonomy, identifiers, barcodes, kits, links, recommendations. OGM set. | A product manager with pvm_edit can create new styles, add variants, build kit configurations, and manage the taxonomy tree. |
pvm_supplier_admin | All pvm_view capabilities plus: create/update/status-change vendors and manufacturers. | A procurement lead with pvm_supplier_admin can onboard new vendors, update vendor details, and deactivate inactive suppliers. |
pvm_approve | Product approval workflows (where configured). | A senior merchandiser with pvm_approve can approve product changes before they go live. |
Vendor scope: Members with pvm_edit or pvm_supplier_admin can optionally have a vendor_scope array on their member record, restricting their mutations to only the listed vendors. Owners are exempt from vendor scope.
Legacy aliases: pvv = pvm_view, pma = pvm_edit, vca = pvm_supplier_admin. These are accepted everywhere but new integrations should use canonical names.
PMC (Product Merchandising Control)
| Role | What it enables | Example |
|---|---|---|
pmc_view | Read merchandising data: product listings, revisions, content packs, publish profiles, publish runs, manifests, product groups, pointers. | A store manager with pmc_view can check which products are published to which channels and review content pack history. |
pmc_publish | All pmc_view capabilities plus: create/complete content packs, set publish profiles, start/cancel/step publish runs, set/clear product pointers and online status, presign manifests. | A merchandising coordinator with pmc_publish can assemble content packs, trigger publish runs to push product data to sales channels, and control which products appear online. |
PMC enforces requireSession on /stat and named roles on all other endpoints. Build stats require session auth.
ICS (Inventory Control Service)
| Role | What it enables | Example |
|---|---|---|
ics_view | Read all inventory data: stock positions, zones, bins, replenishment rules, receive records, transfer requests/shipments, count plans, serial numbers, holdbacks, ATP queries, demand signals, snapshots, stock cards, comments, inbox. | A buyer with ics_view can check stock availability before placing a PO, but cannot move or adjust stock. |
ics_operator | All ics_view capabilities plus: create zones and bins, set zone/bin status, record replenishment, putaway, pick, pack, ship, receive goods, QC complete, manage reservations/allocations/commits, create and manage transfer shipments, register/update serial numbers, record consignment receive/consume/settle. | A warehouse worker with ics_operator is the hands-on executor: receiving deliveries, stocking shelves, picking orders, packing boxes, and shipping packages. |
ics_planner | All ics_view capabilities plus: set/status replenishment rules, suggest replenishment, suggest transfers, suggest allocations, compute demand signals, create snapshots. | A supply chain planner with ics_planner analyzes demand patterns, sets reorder points, and generates replenishment suggestions — but does not physically handle goods. |
ics_adjust | All ics_view capabilities plus: create inventory adjustments, stock transitions, set stock policies, set holdbacks. | A senior warehouse manager with ics_adjust can record breakage, shrinkage, or revaluation adjustments and set min/max policies on stock positions. |
ics_count | All ics_view capabilities plus: create/submit/approve/reject counts, set/status count plans. | A count team lead with ics_count can plan cycle counts, assign count areas, record counted quantities, and approve or reject count results. |
ics_transfer_approve | Approve or submit inter-facility transfer requests. | A regional logistics manager with ics_transfer_approve can approve a transfer of 500 units from Warehouse A to Store B. This role is deliberately separate from ics_operator to enforce segregation of duties — the person requesting the transfer should not be the one approving it. |
ics_cost_admin | Read access to all ICS data (included in READ_ROLES) plus visibility into cost fields on stock positions. | A finance controller with ics_cost_admin can see unit costs, landed costs, and average costs on inventory records. This is similar to cost_view but scoped specifically to ICS operations. |
Cost visibility: Cost fields (unit_cost, landed_cost, avg_cost) on stock positions are only visible to callers with cost_view, finance_audit, ics_cost_admin, or owner. All other callers see these fields omitted.
PPM (Pricing & Promotions Management)
| Role | What it enables | Example |
|---|---|---|
ppm_view | Read all pricing data: prices, price lists, price zones, dynamic rules, recommendations, policies, promotions, coupons, UOM configs, subscription plans, rental rates, FX rates, installment plans, trade agreements, commission rules, subscription instances, comments, inbox. | A store associate with ppm_view can check the current price of an item, verify a promotion is active, or validate a coupon — but cannot change any pricing. |
ppm_price_admin | All ppm_view capabilities plus: set/approve/reject prices, manage price lists (set, status, assign, clear assignments), manage price zones, set dynamic rules, set recommendations, set policies, manage subscription plans, rental rates, FX rates, installment plans, trade agreements, commission rules, UOM configs. | A pricing analyst with ppm_price_admin can set retail prices, create price lists for different regions, configure dynamic pricing rules, and manage subscription plan pricing. |
ppm_promo_admin | All ppm_view capabilities plus: create/end promotions, create/redeem/status coupons. | A marketing manager with ppm_promo_admin can launch a "20% off summer sale" promotion, create coupon codes, and end promotions when they expire. |
ppm_approver | All ppm_price_admin and ppm_promo_admin capabilities (union). | A pricing director with ppm_approver can do everything that ppm_price_admin and ppm_promo_admin can do. This role exists for senior staff who oversee both pricing and promotions. |
ppm_analyst | Read-only access (same as ppm_view). Included in READ_ROLES for clarity of intent. | A business analyst with ppm_analyst reviews pricing trends and promotion performance. Functionally identical to ppm_view but signals "this person is here for analysis, not operations." |
Legacy aliases: ppm_admin and ppm_approve are legacy aliases for ppm_approver. They are accepted everywhere but should not be used in new integrations.
Org-level scoping: PPM operates at org level. Price lists and promotions can have facility or channel overrides, but the role check is org-scoped — a member with ppm_price_admin can manage prices across all facilities.
SCM (Sales Cycle Management)
| Role | What it enables | Example |
|---|---|---|
scm_view | Read all sales data: orders, returns, refunds, quotes, backorders, special orders, tills, carrier configs, receipts, warranty configs, tender policies, payment gateways, eligibility checks, self-service views, carrier tracking, comments, inbox. | A store manager with scm_view can review order history and monitor daily sales — but cannot create or modify orders. |
scm_order | All scm_view capabilities plus: create/place/cancel/close orders, checkout, cancel order lines, reserve promises, manage appointments (schedule, complete, cancel, no-show, reschedule), open/close tills, set payment gateways, set tender policies. | A cashier with scm_order can ring up sales, process checkouts, open their till at shift start, and close it at shift end. This is the core point-of-sale role. |
scm_fulfillment | All scm_view capabilities plus: fulfill orders, allocate/commit promises, record shipments, manage delivery/install scheduling, create carrier labels, manage receipt templates, generate receipts. | A shipping clerk with scm_fulfillment can pick and pack orders, print shipping labels, schedule deliveries, and generate customer receipts. |
scm_returns | All scm_view capabilities plus: request returns, authorize returns, receive returned goods, set warranty configs. Self-service return requests also require this role. | A returns desk associate with scm_returns can accept returned merchandise, authorize the return, record the physical receipt of goods, and manage warranty policies. |
scm_credit | All scm_view capabilities plus: issue refunds and store credits. | A customer service manager with scm_credit can issue refunds to customers after a return is authorized. This is deliberately separate from scm_returns — the person authorizing the return should not be the one issuing the refund. |
scm_discount_approve | Approve discount overrides that exceed threshold limits during order creation. | A floor manager with scm_discount_approve can authorize a 25% discount that a cashier cannot apply on their own because it exceeds the configured threshold. |
scm_special_order_approve | Create and approve special orders (items not in standard inventory). | A department manager with scm_special_order_approve can create a special order for a customer who wants a product not currently stocked, and approve it for procurement. |
scm_backorder_approve | Approve and cancel backorders (orders for out-of-stock items). | A supply chain coordinator with scm_backorder_approve can approve a backorder when a customer wants to wait for an out-of-stock item, or cancel it if the item is discontinued. |
scm_tax_admin | Manage tax configuration: tax policies, finalization, and quoting. | A tax compliance officer with scm_tax_admin can configure tax rates, tax exemption rules, and tax calculation policies for different jurisdictions. |
PCM (Procurement Cycle Management)
| Role | What it enables | Example |
|---|---|---|
pcm_view | Read all procurement data: NPIs, worksheets, purchase orders, receipts, vendor performance, invoices, consignment records, RTV records, vendor scorecards, comments, inbox. | A finance analyst with pcm_view can review PO history and vendor performance metrics — but cannot create or modify procurement documents. |
pcm_buyer | All pcm_view capabilities plus: create/submit NPIs and worksheets, create POs, suggest POs, record receipts, match invoices, create RTVs, receive RTVs, compute vendor scorecards. | A buyer with pcm_buyer handles the day-to-day procurement workflow: creating purchase orders, recording what arrives at the dock, matching invoices to receipts, and initiating returns to vendors. |
pcm_po_approve | All pcm_view capabilities plus: approve NPIs, approve/issue POs, dispute/resolve invoices, apply credits. | A procurement director with pcm_po_approve reviews and approves purchase orders before they are sent to vendors. This role enforces segregation of duties — buyers create POs, approvers authorize them. |
pcm_consignment | All pcm_view capabilities plus: settle consignment agreements, view consignment records. | A consignment coordinator with pcm_consignment manages vendor-owned inventory that is sold on consignment, settling payments with vendors based on actual sales. |
Facility scoping: Most PCM operations require a logical_guid (the facility where goods are being procured). Worksheets require a channel_code context. Vendor performance and scorecard operations are org-wide (no facility required).
CRM (Customer Relationship & Loyalty)
| Role | What it enables | Example |
|---|---|---|
crm_view | Read all customer data: customers, accounts, contacts, tax exemptions, loyalty balances, gift cards, subscriptions, warranties, fraud assessments, holds, flags, consents, dedupe lists, merge history, retention policies, comments, inbox. | A cashier with crm_view can look up a customer by phone number during checkout to apply their loyalty discount. |
crm_manage | All crm_view capabilities plus: create/update/delete/anonymize customers, manage accounts and contacts, set consents and flags, manage holds, merge customers, assess fraud, manage loyalty (earn, redeem, adjust, reverse, restore, expire, set policy), issue/redeem gift cards, manage subscriptions (create, pause, resume, cancel), manage warranties, manage retention policies. | A customer service rep with crm_manage can update a customer's address, merge duplicate records, issue loyalty points for a complaint resolution, and pause a subscription. |
crm_privacy_admin | All crm_manage capabilities. Specifically intended for GDPR/privacy operations: customer deletion, anonymization, consent management, data export requests. | A data protection officer with crm_privacy_admin can process "right to be forgotten" requests by anonymizing customer records and managing consent preferences. Functionally identical to crm_manage but signals elevated privacy responsibility. |
crm_tax_exemption_admin | All crm_view capabilities plus: create and manage tax exemption certificates. | A tax compliance specialist with crm_tax_exemption_admin can register a non-profit's tax exemption certificate so their purchases are not taxed. |
loyalty_admin | All crm_view capabilities plus: all loyalty operations (earn, redeem, adjust, reverse, restore, expire points, set loyalty policy). | A loyalty program manager with loyalty_admin can configure earning rules, adjust point balances, and set expiry policies — but cannot manage non-loyalty customer data. |
giftcard_admin | All crm_view capabilities plus: issue and redeem gift cards. | A gift card coordinator with giftcard_admin can issue new gift cards and process gift card redemptions at checkout. |
Legacy alias: crm_edit is a legacy alias for crm_manage. Accepted everywhere but should not be used in new integrations.
Influencer (Influencer & Referral Earnings)
| Role | What it enables | Example |
|---|---|---|
inf_view | Read all influencer data: profiles, campaigns, discount tiers, earnings, disputes, payouts, statements, comments, inbox. | A marketing coordinator with inf_view can review campaign performance and influencer earnings reports. |
inf_manage | All inf_view capabilities plus: create/manage profiles, create/manage campaigns, set discount tiers, record attributions, manage earnings (hold, release, clawback), manage disputes, submit payouts, manage payout readiness, create statements. | An influencer program manager with inf_manage has full operational control: onboarding influencers, launching campaigns, recording sales attributions, holding suspicious earnings for review, and triggering payout runs. |
inf_campaign_admin | All inf_view capabilities plus: create/manage profiles, create/manage campaigns, set discount tiers, record attributions. Comment and inbox write access. | A campaign specialist with inf_campaign_admin can set up new campaigns and manage influencer relationships — but cannot touch financial operations like payouts or clawbacks. |
inf_finance | All inf_view capabilities plus: manage earnings (hold, release, clawback), manage disputes, submit payouts, manage payout readiness, create statements. | A finance team member with inf_finance handles the money side: reviewing earnings, resolving disputes, and processing payout batches. They cannot create campaigns or manage influencer profiles. |
Accounting (Accounting & ERP Integration Readiness)
| Role | What it enables | Example |
|---|---|---|
acct_view | Read all accounting data: events, exports, batches, storage usage, rollups, schedules, lineage, invoices, payments, AR aging, balances, statements, credit-hold checks, financial rollups, commissions, dunning policies/actions, consignment settlements, franchise royalties, inference configs. | An accountant with acct_view can review financial records, check AR aging reports, and verify commission calculations. |
acct_export_admin | All acct_view capabilities plus: record events, create/manage exports and batches (including repair), record/reconcile storage usage, create/manage export schedules, generate reconcile reports, manage inference configs and snapshots, export financial rollups, write comments/inbox. | An ERP integration administrator with acct_export_admin can configure and trigger data exports to the company's ERP system, manage export schedules, and handle batch reconciliation. |
ar_admin | All acct_view capabilities plus: create/manage AR invoices, apply payments, set invoice status, set dunning policies, create dunning actions, create/approve/manage consignment settlements, set franchise royalty rules and calculations. | An accounts receivable manager with ar_admin can issue invoices to customers, record incoming payments, manage overdue collections via dunning workflows, and settle consignment accounts with vendors. |
commission_admin | All acct_view capabilities plus: adjust commissions, set commission splits, create/manage commission payouts. | A sales compensation manager with commission_admin can adjust commission amounts for corrections, configure split rules for shared sales, and process commission payout batches. |
IPM (Integration Plane Management)
| Role | What it enables | Example |
|---|---|---|
integration_view | Read all integration data: event catalog, export contracts, KPIs, lifecycle states, specimens, webhook configs, CDC streams, bulk job status. | A developer with integration_view can browse available events, check webhook delivery status, and monitor bulk import/export jobs. |
integration_admin | All integration_view capabilities plus: record KPIs, send KPI alerts, create/manage webhook subscriptions, replay webhooks, create/manage bulk imports and exports. | An integration architect with integration_admin can set up webhook endpoints, configure bulk data imports from external systems, and manage the full integration lifecycle. |
RBS (Retail Bus Service)
| Role | What it enables | Example |
|---|---|---|
rbs_view | Read event subscriptions, notification templates, and notification logs. | An operations analyst with rbs_view can check which SQS queues are subscribed to which events and review notification delivery history. |
rbs_admin | All rbs_view capabilities plus: register/verify/update/unregister/test event subscriptions, set/status notification templates, send notifications. | A platform administrator with rbs_admin can wire up new event subscribers, configure notification templates, and test event delivery to external systems. |
UTL (Utility Service)
| Role | What it enables | Example |
|---|---|---|
utl_offboarding_admin | Request, cancel, and check status of org offboarding (data export + purge workflow). | A compliance officer with utl_offboarding_admin can initiate the offboarding process when an organization decides to leave the platform, and cancel it if they change their mind. |
utl_export_admin | Request, check status, and download data exports (export-only, no purge). | A data analyst with utl_export_admin can request a full data export for archival or migration purposes without triggering the offboarding/purge workflow. |
Note: The offboarding request itself requires primary owner access (not just the role). The role is used for subsequent operations (cancel, status checks). Operator workflows (approve, purge, archive) are direct Lambda only and IAM-gated.
OPS (Operations Management)
OPS has no named roles. All API Gateway endpoints use either:
- Secret code (scrypt-validated):
/ping,/stat, and all mutation operations (maintenance schedule/start/end/cancel/update, vacuum all/org/cancel). - Session auth:
/maintenance/list,/maintenance/get(read-only).
Direct Lambda handlers (vacuum workers, maintenance sweep) are IAM-gated only.
Example: An operations engineer with the secret code can schedule a maintenance window, check system health, and initiate a data vacuum. A regular member with a valid session can view maintenance records but cannot trigger any operations.
UCP (Universal Commerce Protocol Adapter)
| Role | What it enables | Example |
|---|---|---|
ucp_admin | All admin operations: register/manage/rotate/revoke platforms, set configs, manage webhooks, manage identity authorization and links. | A platform architect with ucp_admin can register a new UCP-compatible platform (e.g., a Google Shopping integration), configure its checkout flow, and manage OAuth identity linking. |
UCP also has two non-role auth modes:
- Platform auth (
client_id+client_secret): Used by registered platforms for checkout, config retrieval, and identity token operations. - Bearer token auth (OAuth access token): Used for
/identity/userinfoby authenticated platform users.
Public endpoints (no auth): /.well-known/ucp and /.well-known/oauth-authorization-server.
SLC (Sales Ledger Channel)
| Role | What it enables | Example |
|---|---|---|
slc_view | Read all channel data: get/list channels, list variants, view audit history (variant, Shopify, SKU), view channel stats. | A store manager with slc_view can check which products are synced to Shopify and review sync history — but cannot trigger syncs or modify channel configuration. |
slc_manage | All slc_view capabilities plus: create/update/delete/activate/pause/resume/deactivate channels, force sync (full or per-variant), add/remove variants, bind/unbind facilities, rotate credentials, purge maps, vacuum, OAuth exchange. | A channel operations manager with slc_manage has full control over sales channel integrations: setting up new Shopify connections, syncing product catalogs, and troubleshooting sync issues. |
OAuth endpoints (/slc install entry, /slc/oauth/callback): These are separate Lambda functions with Shopify-specific auth (HMAC validation), not role-gated.
Combining roles: practical scenarios
Scenario 1: Small single-store retailer
The owner runs everything. Three employees:
- Alex (Store Manager): profile
store_manager+ explicit grants['ics_adjust', 'scm_discount_approve', 'loyalty_admin']. Alex can do almost everything: manage customers, process sales, handle returns, receive inventory, adjust stock for damages, approve discounts, and run the loyalty program. - Sam (Cashier): profile
cashier. Sam can ring up sales, look up customers, and check prices. Nothing else. - Jordan (Stock Room): profile
warehouse_staff. Jordan can receive shipments, count inventory, and manage the stock room. Cannot access sales or customer data.
Scenario 2: Multi-store fashion retailer
The owner delegates heavily. Key roles:
- Regional Manager: profile
store_manager+ explicit grants['ofm_member_admin', 'ofm_team_admin', 'scm_discount_approve']. Can manage staff, create teams, and approve discounts across their stores. - Buyer: profile
buyer+ explicit grants['pvm_view']. Can create POs, view products, and check stock levels. - Visual Merchandiser: profile
product_admin. Can manage the product catalog and control which products appear on each sales channel. - Finance Controller: profile
finance_viewer+ explicit grants['ar_admin', 'commission_admin']. Can view everything financial, manage AR, and process commissions. - External Auditor: explicit grant
['finance_audit']only. Read-only access across all financial services. Cannot modify anything.
Scenario 3: Service account for POS integration
A service account API key for the POS system:
- Roles:
['scm_order', 'scm_fulfillment', 'crm_view', 'crm_manage', 'ppm_view', 'ics_view', 'ics_operator'] - This API key can process sales, manage customers, check prices, and update inventory — everything a POS terminal needs. It cannot manage products, procurement, accounting, or org settings.
Related pages
- Role Matrix — quick-reference canonical catalog
- Roles & Governance — governance model and policies
- Headers & Identity — how auth headers are sent
- Request Context — how roles flow into request context
- User Provisioning — how members are created and granted roles
- Troubleshooting — 404 anti-enumeration behavior when roles are missing