MASTER ARTICLE. Explains what permissions are, where you find them, and how they are
scoped. Links to a sub-article per area. Status: DRAFT pending approval.
Access management decides what each employee may see and do in Sapera. Instead of granting rights to every single user, Sapera works with groups (roles): you give the group a set of permissions, and all users in the group inherit them.
Users — the individual employee's login.
Groups — a collection of users that should have the same rights (e.g. "Cashiers", "Bookkeepers", "Store managers").
Permissions — the concrete rights that can be assigned, e.g. whether you may create users or view financial entries.
Each permission can be in one of three states:
Allow — the right is granted.
Deny — the right is explicitly withdrawn (wins over an inherited "Allow").
(empty) — not set; the user does not have the right unless it is inherited from somewhere else.
You administer users and rights from Financial:
Financial → Security → Users / Groups / Login security
Users — create, edit, disable and reset employees' logins.
Groups — create roles and assign permissions in one place.
Login security — IP blocking and login monitoring.
Note: To see the Security menu item, your own user must have access to it. If you cannot see the menu item, you probably lack permissions — contact support.
Permissions work at three levels — it is important to know the difference:
Per organizational unit — most user and membership rights apply only in the organizational unit (store/department) where they are granted. An employee may therefore have the right to create users in one store but not in another.
Globally — a few rights (e.g. IP blocking) apply across the entire installation.
Menu visibility — some "permissions" only control whether a menu item is visible, not the action itself. They hide/show the entry, while the action behind it is protected by its own right.
The permissions are grouped the way you see them in the permission tree. Some concern users and access in general; others control concrete functions in a specific area (the POS, Accounting, etc.).
Users and access:
Users and passwords — create/edit/disable/delete users, change other users' passwords, 2-factor. → Open article
Organizational units — create, edit and archive stores/departments; access and visibility of financial entries. → Open article
Memberships — who may add/remove members in a group. → Open article
Application/service rights — which apps and integrations a user may access. → Open article
Login security (Block IP) — IP blocking and login monitoring. → Open article
UI rights — minor user-interface settings (keyboard/input method, access to permission setup). → Open article
Menu visibility (Security) — controls which security menu items are shown. → Open article
Rights per area:
Accounting — close/open financial periods, post in a closed period, counter-entries; plus visibility of accounting screens. → Open article
The POS — what cashiers may do at the POS (custom price, discount, return, customer creation, settlements, payments, etc.). → Open article
Actors — view/edit CPR number, merge actors, and role rights per organizational unit. → Open article
Documents and notes — edit/delete other users' notes on e.g. customers and invoices. → Open article
Reports — access per report tag. → Open article
Tasks and calendar — view other users' time registrations; visibility of task type/status setup. → Open article
