Permissions model

Role and permission model used by ChannelWeave.

Last updated:

Model structure

Roles group permissions. Users gain access through role assignments.

Enforcement

Checks occur at page level and action level for sensitive operations. Admin read/write permissions are enforced separately for Users, Roles, API keys, Events, and Support requests. Connections, Media library, stock, listings, purchase orders, sales orders, Warehouse operations, insight rules, and account-level settings use explicit permission groups.

Bearer-token API keys are scoped with permission codes. A request authenticated by API key must satisfy two checks before a scoped action runs:

  1. the key itself must include the required permission-code scope
  2. the user attached to the key must still have that permission through their current role assignments

Omitting explicit scopes when an admin key is created grants the current active permission catalogue to the key, while the attached user's role permissions remain the final authority.

Active permission catalogue

  • Admin:
    • admin.api_keys.read
    • admin.api_keys.write
    • admin.events.read
    • admin.roles.read
    • admin.roles.write
    • admin.support_requests.read
    • admin.support_requests.write
    • admin.users.read
    • admin.users.write
  • Connections:
    • channels.connections.read
    • channels.connections.manage
  • Catalogue:
    • catalogue.listings.manage
  • Insights:
    • insights.rules.manage
  • Media:
    • media.library.read
    • media.library.manage
  • Inventory purchase orders:
    • inventory.purchase_orders.read
    • inventory.purchase_orders.create
    • inventory.purchase_orders.edit
    • inventory.purchase_orders.open
    • inventory.purchase_orders.issue
    • inventory.purchase_orders.receive
    • inventory.purchase_orders.close
    • inventory.purchase_orders.cancel
  • Inventory stock:
    • inventory.stock.import
    • inventory.stock.manage
  • Warehouse:
    • inventory.warehouse.read
    • inventory.warehouse.operate
    • inventory.warehouse.adjust
    • inventory.warehouse.labels
    • inventory.warehouse.setup
  • Sales orders:
    • sales.orders.read
    • sales.orders.create
    • sales.orders.edit
    • sales.orders.allocate
    • sales.orders.deallocate
    • sales.orders.dispatch
    • sales.orders.deliver
    • sales.orders.payment_capture
    • sales.orders.refund
    • sales.orders.cancel
  • Settings:
    • settings.account.manage
    • settings.costing.manage
    • settings.plan.manage

Mutation routes require both an authenticated session and the relevant live role permission. Stock-item/master-data writes use inventory.stock.manage; listing, draft and template writes use catalogue.listings.manage; custom rule writes use insights.rules.manage. Account details, costing policy and plan changes use their separate settings permissions. Warehouse adjustments and location setup continue to use inventory.warehouse.adjust and inventory.warehouse.setup respectively.

Support request permissions

  • admin.support_requests.read controls the Admin support request list.
  • admin.support_requests.write controls status/category triage updates.
  • The default Admin role receives both support request permissions.
  • The ChannelWeave team's internal support triage is separate from customer role permissions and cannot be granted through customer roles.

Channel permissions

  • channels.connections.read controls channel connection lists and connection diagnostics/settings pages.
  • channels.connections.manage controls connect, reconnect, OAuth callback completion, disconnect, website setup, and connection secret rotation.
  • Admin roles receive both channel connection permissions by default.
  • Integration Manager roles receive channel connection read/manage permissions without user or role administration permissions.

Warehouse permissions

  • inventory.warehouse.read controls Warehouse home, Lookup, scan resolution, setup-state reads, and unknown-task 404 handling.
  • inventory.warehouse.operate controls receiving, putaway, moves, replenishment, returns, quarantine, and issue reporting.
  • inventory.warehouse.adjust controls Counts and Adjustments.
  • inventory.warehouse.labels controls label tasks, label job lookup, and printable label sheets.
  • inventory.warehouse.setup controls saving the per-location Warehouse setup checklist.

Default grants:

  • Admin and Manager receive all Warehouse permissions.
  • Location receives read, operate, labels, and setup.
  • Read-only receives read only.

Audit expectations

Permission changes should be attributable and time-stamped.