Users & Roles Overview
Access control in Vruksha ERP follows a two-layer role model. Understanding this model is the key to setting up permissions correctly, so this page explains it before the how-to pages on managing users and assigning roles.
The short version:
Subproject roles govern what a user can do within an assigned subproject; the org role governs everything else and acts as the baseline.
The two layers
Layer 1 — Organization (Org) Role
- Every user has exactly one organization role.
- It defines who the user is across the whole organization and acts as their baseline permission set.
- It applies to organization-wide actions — partnerships, partners, banking, HR, masters, audit, settings, and so on — that are not tied to a single subproject.
Layer 2 — Subproject Roles
- A user can have many subproject roles.
- Each one is scoped to a specific subproject and is additive — it grants extra permissions on top of the org role for that subproject. Subproject roles never take permissions away.
How the two layers combine (the override rule)
When a user attempts an action, the system decides which permissions apply based on whether the action targets a specific subproject:
In words:
- Action targets a specific subproject, and the user has a subproject role there → the subproject role's permissions apply for that subproject's scoped actions, with the org role as the fallback baseline. The two are merged — the subproject role only ever adds.
- Action targets a specific subproject, but the user has no subproject role there → only the org role applies.
- Organization-wide action (banking, partnerships, HR, audit, settings, masters) → only the org role applies. Subproject roles are irrelevant.
:::note Subproject roles only add A subproject role can never restrict what a user's org role already allows. It can only grant additional, subproject-scoped permissions. This is why a Sales Staff member with no subproject roles can still do everything their org role permits — they simply gain nothing extra in any specific subproject. :::
The roles at a glance
8 Organization roles
Exactly one per user.
| Role | Scope |
|---|---|
| Admin | Organization-wide; full authority |
| Partner | Partnership-scoped, read-only ownership visibility |
| Self-Managed Partner | Own partnership's finance and banking |
| Finance Manager | Execution-only finance operations |
| Sales Head | Sales execution and supervision, project-scoped |
| Sales Staff | Frontline sales execution, project-scoped |
| Project Manager | Project execution, unit readiness, handover |
| People Manager (HR) | Employee, role, and assignment management |
Full descriptions and permissions: Organization Roles.
3 Subproject roles
Assigned per subproject, additive.
| Role | Scope |
|---|---|
| Sales Head (subproject) | Subproject-scoped sales execution and supervision |
| Sales Staff (subproject) | Subproject-scoped sales execution |
| Project Manager (subproject) | Subproject-scoped unit and layout operations |
Full descriptions and how to assign them: Subproject Roles.
Where to go next
- Managing Users — create users, manage statuses, assign org roles, delete.
- Invitations — send and manage invitation links.
- Organization Roles — the 8 org roles in detail.
- Subproject Roles — the 3 subproject roles in detail.
- RBAC matrix — the authoritative role-to-permission reference.