SUB-ARTICLE under Access management in Sapera. Describes the permissions in the
"Users" category. Status: DRAFT pending approval (template for the other areas).
This article covers the permissions that control administration of employee logins — creation, editing, disabling, deletion, passwords and 2-factor.
You find the screen under: Financial → Security → Users. The rights themselves are typically assigned to a group (role) via the permission tree, and they apply per organizational unit — that is, only in the store/department where they are granted.
Allows creating new users in the selected organizational unit. Without the permission, the button to create a new user is blocked, and the attempt is rejected with "access denied".
Allows editing another user's details in the organizational unit. Note: the system user and the administrator user cannot be edited by ordinary users.
Allows enabling or disabling another user's login.
Important: The same permission also gives access to resetting the failed login attempt counter for a user (e.g. if an employee has locked themselves out). The two actions therefore go together.
System and administrator accounts cannot be disabled.
Allows deleting (anonymizing) another user's account. System and administrator accounts cannot be deleted.
Allows turning two-factor authentication on or off for other users. You can always manage your own 2-factor; the administrator user's 2-factor is protected.
Allows changing or resetting other users' passwords.
You may always change your own password — that does not require this permission.
The administrator user's password is protected and can only be changed by the administrator themselves.
The permissions apply per organizational unit. An employee may have the right to administer users in one store without having it in another.
Administrators by default have all of these rights on the top organizational unit.
Allow vs. Deny: An explicit Deny wins over an inherited Allow. Use it if a group would otherwise inherit a right it should not have.
Want to know more?
Read more in these related articles:
Access management in Sapera (overview)
What permissions are, where to find them, how they are scoped, and links to one sub-article per area.
Organizational units (permissions)
The permissions that control access to and administration of organizational units, and which units' data an employee can see.
Memberships (permissions)
The permissions that control who may add and remove members in a group.
