SUB-ARTICLE under Access management in Sapera. Describes the permissions in the
"Memberships" category. Status: DRAFT pending approval.
This article covers the permissions that control who may add and remove members in a group — that is, who may change which users are part of a role.
You assign these permissions in Financial under Security → Groups → select a group → Permissions (set Allow/Deny per permission). They apply per organizational unit — that is, only for memberships in the store/department where they are granted.
Allows adding a user as a member of a group within the organizational unit.
If the permission is denied, the attempt to update the membership is rejected — the user cannot be added to the group.
The permission makes it possible to delegate membership management to e.g. a store manager, without them having to be a full administrator.
Allows removing a user from a group within the organizational unit.
If the permission is denied, the user cannot be removed from the group.
The permissions apply per organizational unit. An employee may have the right to administer memberships in one store without having it in another.
Add and Remove are separate. You can grant the right to add without granting the right to remove (or vice versa), if that fits the workflow.
Administrators by default have full membership management on the top organizational unit.
Allow vs. Deny: An explicit Deny wins over an inherited Allow.
Want to know more?
Read more in these related articles:
Access management in Sapera (overview)
What permissions are, where to find them, how they are scoped, and links to one sub-article per area.
Users and passwords (permissions)
The permissions that control administration of employee logins — create, edit, disable, delete, passwords and 2-factor.
Organizational units (permissions)
The permissions that control access to and administration of organizational units, and which units' data an employee can see.
