User Permissions & Roles
Company-level data isolation with flexible role-based access.
Every company in CatOps has its own Master Admin and complete data isolation. Users only see their company's data — always. No frontend-only hiding; enforcement is server-side at the database query level.
Granular sub-roles let you fine-tune what floor leads, managers, and operators can see and do. A floor worker might only see scan and adjust. A manager might see reports and approvals. A Master Admin sees everything.
Unlike spreadsheet-based systems where anyone with the file link can see everything, CatOps enforces permissions at the server level. There is no way to bypass the permission system through the UI or API.
Capabilities
Company isolation
Each company's data is completely separate. No cross-company visibility.
Data isolation is enforced at the database query level. Every query includes a tenant filter, so it is impossible for a user in Company A to see Company B's data. This is not frontend hiding — it is server-side enforcement.
Master Admin
Each company has a Master Admin who can invite users and assign roles.
The Master Admin is the top-level user for each company. They can invite users, assign roles, configure sub-roles, and manage company settings. There is always exactly one Master Admin per company.
Sub-roles
Granular toggles for floor leads, managers, operators, and custom roles.
Create custom sub-roles with specific permission toggles. For example, a Floor Lead might have scan, adjust, and receive permissions but not approve or delete. An Operator might only have scan and view. Sub-roles are fully customizable per company.
Server-side enforcement
Permissions are checked on the server — no frontend bypasses.
Every API request is checked against the user's permissions on the server. Even if someone crafts a direct API request, the server validates their role and tenant before returning data. Frontend hiding is cosmetic; server enforcement is real.
Invitations
Master Admins invite users via email with automatic account setup.
The Master Admin enters an email address, and the invitee receives a link to set up their account. The account is pre-assigned to the company and the role specified by the Master Admin. No manual account creation needed.
Audit logging
User actions are logged for accountability and compliance.
Every create, update, delete, approval, and denial is logged with the user, timestamp, and action details. This audit log is searchable and exportable. It supports compliance requirements and internal accountability.
Session management
Active sessions are tracked and can be revoked by the Master Admin.
The Master Admin can see who is logged in and revoke sessions if needed. This is useful when an employee leaves or when a device is lost. Session revocation is immediate.
Permission templates
Pre-configured role templates for common beverage operation roles.
Start with a template (Floor Worker, Supervisor, Manager, Compliance Officer) and customize as needed. Templates include sensible defaults for each role type, so you do not have to configure every toggle from scratch.
Why CatOps is different
Vs. Spreadsheets
Spreadsheets have no real permission system. Anyone with the file can see everything. There is no audit trail, no role-based access, and no way to prevent a user from deleting or modifying data. CatOps enforces permissions at the server level.
Vs. Generic Software
Generic software may have role fields, but they are often frontend-only. A savvy user can bypass the UI and access data through other means. CatOps enforces permissions at the database query level — there is no bypass.
Vs. Other Beverage Software
Other beverage software may have roles, but they are often rigid (Admin, User) without granular sub-roles. CatOps lets you create custom sub-roles with specific permission toggles for each operation.
How this reduces labor and errors
User onboarding
Create account in spreadsheet, share file link, hope they do not break something
Master Admin sends invite, user sets up own account, role assigned automatically
Access changes
Manually update file sharing permissions, create new spreadsheet versions
Change user role in CatOps, permissions update instantly across all pages and APIs
Audit response
Sort through spreadsheet revision history, try to identify who changed what
Search audit log by user, date, or action — complete history in seconds
Employee offboarding
Revoke file access, change passwords, check for copied files
Revoke session in CatOps, user immediately locked out, no files to chase
Common Questions
Can users from one company see another company's data?
No. Data isolation is enforced at the database query level. It is not possible for a user to access another company's data through any part of the system.
Can I create custom roles?
Yes. Sub-roles with granular permission toggles let you create roles specific to your operation. Start with a template or build from scratch.
What happens when an employee leaves?
The Master Admin can deactivate the user account and revoke active sessions immediately. The user is locked out instantly, and their audit history is retained.
Want to see User Permissions & Roles in action?
Request a demo and we'll walk you through how it works for your operation.
Request a Demo