User Permissions & Roles

Company-level data isolation with flexible role-based access.

Every company in CatOps has its own Master Admin and complete data isolation. Users only see their company's data — always. No frontend-only hiding; enforcement is server-side at the database query level.

Granular sub-roles let you fine-tune what floor leads, managers, and operators can see and do. A floor worker might only see scan and adjust. A manager might see reports and approvals. A Master Admin sees everything.

Unlike spreadsheet-based systems where anyone with the file link can see everything, CatOps enforces permissions at the server level. There is no way to bypass the permission system through the UI or API.

Capabilities

Company isolation

Each company's data is completely separate. No cross-company visibility.

Data isolation is enforced at the database query level. Every query includes a tenant filter, so it is impossible for a user in Company A to see Company B's data. This is not frontend hiding — it is server-side enforcement.

Master Admin

Each company has a Master Admin who can invite users and assign roles.

The Master Admin is the top-level user for each company. They can invite users, assign roles, configure sub-roles, and manage company settings. There is always exactly one Master Admin per company.

Sub-roles

Granular toggles for floor leads, managers, operators, and custom roles.

Create custom sub-roles with specific permission toggles. For example, a Floor Lead might have scan, adjust, and receive permissions but not approve or delete. An Operator might only have scan and view. Sub-roles are fully customizable per company.

Server-side enforcement

Permissions are checked on the server — no frontend bypasses.

Every API request is checked against the user's permissions on the server. Even if someone crafts a direct API request, the server validates their role and tenant before returning data. Frontend hiding is cosmetic; server enforcement is real.

Invitations

Master Admins invite users via email with automatic account setup.

The Master Admin enters an email address, and the invitee receives a link to set up their account. The account is pre-assigned to the company and the role specified by the Master Admin. No manual account creation needed.

Audit logging

User actions are logged for accountability and compliance.

Every create, update, delete, approval, and denial is logged with the user, timestamp, and action details. This audit log is searchable and exportable. It supports compliance requirements and internal accountability.

Session management

Active sessions are tracked and can be revoked by the Master Admin.

The Master Admin can see who is logged in and revoke sessions if needed. This is useful when an employee leaves or when a device is lost. Session revocation is immediate.

Permission templates

Pre-configured role templates for common beverage operation roles.

Start with a template (Floor Worker, Supervisor, Manager, Compliance Officer) and customize as needed. Templates include sensible defaults for each role type, so you do not have to configure every toggle from scratch.

Why CatOps is different

Vs. Spreadsheets

Spreadsheets have no real permission system. Anyone with the file can see everything. There is no audit trail, no role-based access, and no way to prevent a user from deleting or modifying data. CatOps enforces permissions at the server level.

Vs. Generic Software

Generic software may have role fields, but they are often frontend-only. A savvy user can bypass the UI and access data through other means. CatOps enforces permissions at the database query level — there is no bypass.

Vs. Other Beverage Software

Other beverage software may have roles, but they are often rigid (Admin, User) without granular sub-roles. CatOps lets you create custom sub-roles with specific permission toggles for each operation.

How this reduces labor and errors

User onboarding

Before:

Create account in spreadsheet, share file link, hope they do not break something

After:

Master Admin sends invite, user sets up own account, role assigned automatically

Access changes

Before:

Manually update file sharing permissions, create new spreadsheet versions

After:

Change user role in CatOps, permissions update instantly across all pages and APIs

Audit response

Before:

Sort through spreadsheet revision history, try to identify who changed what

After:

Search audit log by user, date, or action — complete history in seconds

Employee offboarding

Before:

Revoke file access, change passwords, check for copied files

After:

Revoke session in CatOps, user immediately locked out, no files to chase

Common Questions

Can users from one company see another company's data?

No. Data isolation is enforced at the database query level. It is not possible for a user to access another company's data through any part of the system.

Can I create custom roles?

Yes. Sub-roles with granular permission toggles let you create roles specific to your operation. Start with a template or build from scratch.

What happens when an employee leaves?

The Master Admin can deactivate the user account and revoke active sessions immediately. The user is locked out instantly, and their audit history is retained.

Want to see User Permissions & Roles in action?

Request a demo and we'll walk you through how it works for your operation.

Request a Demo