This article walks through the permissions that govern access to functions in Inventory — for example viewing cost prices, editing stock entries, merging products, transferring stock, and which Inventory screens are visible.
You assign these permissions in Financial under Security → Groups → select a group → Permissions (set Allow/Deny per permission).
These permissions govern the action itself. When denied, the action is blocked — regardless of whether the menu item is visible or not.
Controls whether the user may see cost prices on products. When denied, the cost price is removed before product data is shown — the user sees products and sales prices, but not cost price/margin.
Allows editing a stock entry (and resetting the cost price on an entry). When denied, the change is rejected.
Allows deleting stock entries (bulk delete) for an organizational unit. When denied, the deletion is rejected.
Allows reverting a stock booking operation. When denied, the reversal is rejected.
Allows changing a product instance's inventory identifier (e.g. serial number/ID). When denied, the change is rejected.
Allows merging two products into one. When denied, the merge is rejected.
Allows editing a product instance whose stock belongs to a different organizational unit than the one the user is in. When denied, the change is rejected when the unit differs.
Controls in the POS whether a cashier may change the manual discount on a sale line. When denied, the discount field cannot be edited on the sale screen.
Note: This permission belongs to Inventory but takes effect on the sale screen in the POS.
These permissions are granted per organizational unit (they appear under each unit in the permission tree).
Determines which units' stock availability the user may see. When granted for a unit here, that unit's stock is included in the availability lookups the user can perform.
Allows deleting system-generated stock draft entries in the given organizational unit. The system itself creates draft entries in certain stock flows (e.g. stock transfers); this permission governs whether the user may delete them. When denied — or if the entry touches a unit the user does not have access to — the deletion is rejected.
The permissions below only control whether a given screen or menu item in Inventory is visible and can be opened. They are not data security: they hide/show the entry, while the data and actions behind the screen are protected by organizational-unit access and/or the functional permissions above.
Each permission is shown with its name → the screen it gives access to:
Access inventory products → Products
Access inventory categories → Product categories (also product attributes and templates)
Access inventory product instances → Product instances (e.g. serial-number items)
Access stock drafts → Stock drafts
Access label drafts → Label drafts
Access all stock entries → All stock entries
Access appendixes with reservations → Appendixes with reservations
Access stock transfers → Stock transfers
Access shadow inventory → Shadow inventory
Access search tags → Search tags
Access search tag types → Search tag types
Access sales price types → Sales price types
Access product locations → Product locations
Access communication workflows → Communication workflows
Access communication workflow types → Communication workflow types
Access Inventory Document types → Document types (inventory)
Access stock setup → Stock setup
Access stock metadata records → Stock metadata records
Access product relation types → Product relation types
Access product instance instalment plans → Instalment plans (product instances)
Access product supplement sets → Product supplement sets
Functional permissions vs. menu visibility: The functional permissions (at the top) block the action itself. The menu-visibility permissions hide or show the screen.
Allow vs. Deny: An explicit Deny wins over an inherited Allow. Use it when a group would otherwise inherit a permission it should not have.
Per organizational unit: *View Stock Availability* and *Delete system generated draft entry* are granted per unit — you can grant them in one store and not in another.
Administrators have all of these permissions by default.