Appearance
Permissions
WebWorkstationThe Permissions page is where you control exactly what each role or user can do within ZynoSuite. Permissions are organized into applications (modules), each containing individual feature-level toggles. This gives you precise control over access without needing to manage it at the code level.
The Permission Model
ZynoSuite uses a role-based access control (RBAC) system with per-user override capability. There are three layers:
- Roles define a reusable set of permissions. See Roles.
- Users are assigned one or more roles, inheriting all of their permissions.
- Direct assignments can grant additional permissions to a specific user, independent of their roles.
A user's effective permissions are the union of everything granted by their roles plus anything granted directly on their account.
Permission Applications
Permissions are grouped into seven applications, each corresponding to a ZynoSuite module. Within each application, individual permissions control access to specific features or actions.
| Application | Scope |
|---|---|
| Core | Account-level actions such as changing passwords and managing fingerprint enrollments |
| CRM | Contact management, notes, files, forms, memberships, and payment methods |
| Sales | Salespoint register, products, transactions, gift cards, fulfillment, reports, discounts, and e-commerce |
| Talk | Phone number and extension access (managed per-number in Talk Admin) |
| Inventory | Editing inventory items and adjusting stock quantities |
| Forms | Creating and editing form templates |
| Display | Registering, configuring, and managing digital signage devices |
| MSP | Multi-tenant administration capabilities (login and impersonation) |
For a complete list of every permission and what it controls, see the Permissions Reference.
Using the Permissions Screen
The Permissions page works with a subject selector: you first choose whether you are configuring permissions for a role or for a specific user.
Configuring Role Permissions
- Select a role from the dropdown or list.
- The page displays all permission applications with their individual toggles.
- Enable or disable each permission as needed.
- Save your changes. All users with this role are updated immediately.
Configuring User Permissions
- Switch to the user view and select a user.
- The page shows two views:
- Assigned permissions: permissions explicitly granted to this specific user (direct assignments).
- Effective permissions: the combined result of all roles plus direct assignments. This is what the user can actually do.
- Toggle individual permissions to add or remove direct assignments.
- Save your changes.
The effective permissions view is read-only and is useful for auditing. It lets you see at a glance whether a user has a particular permission, regardless of where it comes from.
Direct Permission Assignment
Direct assignments are useful for exceptions. For example, if one team member temporarily needs access to sales reports but their role does not include it, you can grant View Reports directly on their user account without modifying the role that other team members share.
Direct assignments add to whatever the user's roles already provide. They do not replace or reduce role-based permissions.
The Admin Flag
Users with the admin flag enabled bypass all permission checks entirely. They have unrestricted access to every feature in ZynoSuite, including the Admin Panel. The admin flag is set on the Users page, not on the Permissions page.
TIP
Because the admin flag overrides everything, the Permissions page has no practical effect for admin users. Only configure permissions for non-admin users.
Permission Applications Overview
Below is a brief summary of what each application covers. See the Permissions Reference for the full breakdown.
Core
Controls basic account operations: changing the user's own password and managing fingerprint enrollments for Workstation authentication.
CRM
Governs all contact-related actions. Permissions are split between creating/editing contacts and the sub-features within a contact record (notes, files, forms, memberships, and payment methods). Read and write permissions are separated, so you can grant view-only access where appropriate.
Sales
The largest permission group. Controls access to the Salespoint register (including platform restrictions for desktop-only vs. anywhere), discount application (predefined vs. custom), cash drawer operations, gift cards, product management, transaction viewing and editing, fulfillment workflows, reports, and the e-commerce storefront.
Talk
Unlike other applications, Talk permissions are managed on a per-number and per-extension basis in the Talk Admin section rather than through the global permissions screen. Each phone number and extension has its own user access list.
Inventory
Controls whether a user can edit inventory item details and whether they can adjust stock quantities. These are separated because you may want some users to view inventory without being able to change counts.
Forms
Governs form template creation and editing. Note that form submission viewing is controlled by the CRM View Form Submissions permission, since submissions are accessed through contact records.
Display
Controls the three stages of digital signage device management: registering new devices, configuring their settings, and ongoing management of content and scheduling.
MSP
Multi-tenant administration permissions. These only apply to managed service provider accounts that oversee multiple ZynoSuite tenants. The login permission allows accessing the MSP portal, and impersonate allows acting on behalf of a tenant.