> ## Documentation Index
> Fetch the complete documentation index at: https://docs.arcuserp.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Roles and Permissions

> Use Roles and Permissions to review locked system roles, create custom roles, assign the least access needed, and audit effective permissions with the Role Coverage Report.

<Warning>
  Role changes affect what users can see, approve, post, ship, refund, configure,
  and export. Treat custom roles as security controls, not convenience shortcuts.
</Warning>

## Open Roles And Permissions

1. Open **Admin**.
2. Choose **Roles**.
3. Review the role list.
4. Use **Duplicate** on a system role or **Create custom role** when the defaults do not fit.

<Frame caption={"Roles and Permissions shows locked system roles, custom roles, permission counts, assigned users, and safe duplicate or edit actions."}>
  <img src="https://mintcdn.com/arcuserp/5v8ggAMP6rzMRoYX/images/support/screenshots/admin-access/roles-list.png?fit=max&auto=format&n=5v8ggAMP6rzMRoYX&q=85&s=fc9511a9d02930d9ab538eac541df4fa" alt="Roles and Permissions page with system roles, custom roles, permission counts, assigned users, duplicate and edit actions" width="1640" height="980" data-path="images/support/screenshots/admin-access/roles-list.png" />
</Frame>

## Understand System And Custom Roles

* **System roles** are Arcus defaults. They are locked so updates stay consistent.
* **Custom roles** are entity-specific access profiles created by your admins.
* **Assigned users** show whether a role is actively used.
* **Permission count** helps compare broad roles to narrow roles.

The role picker currently includes Owner, Admin, Manager, Accountant, Staff,
Warehouse, Sales, Auditor, and Viewer. Owner is hidden from assignment controls
when the acting user is not allowed to grant owner-level access.

When a system role is close but too broad, duplicate it and remove the permissions
that do not belong. When a system role is too narrow, duplicate it and add only
the missing permissions needed for the job.

## Create A Custom Role

1. Choose **Create custom role**, or duplicate a locked system role.
2. Enter a name that matches the job, such as AP Clerk, Shipping Lead, or Inventory Auditor.
3. Add a short description so future admins know why the role exists.
4. Review each permission group.
5. Select only the permissions required for the user's real work.
6. Save the role.
7. Assign it from Organization Users or Entity Team.
8. Review the Role Coverage Report after assignment.

<Frame caption={"The role editor groups permission keys so admins can build the role around actual work instead of guessing from one long list."}>
  <img src="https://mintcdn.com/arcuserp/5v8ggAMP6rzMRoYX/images/support/screenshots/admin-access/role-editor.png?fit=max&auto=format&n=5v8ggAMP6rzMRoYX&q=85&s=139f29b73b453a9e83b98c6984fcc654" alt="Create custom role page with name, description, grouped permission checkboxes, and Save role button" width="1640" height="980" data-path="images/support/screenshots/admin-access/role-editor.png" />
</Frame>

The role editor has two required choices: a role name and at least the permission
set you intend to grant. Description is optional, but it is the best place to explain
why the role exists, such as "Warehouse lead can adjust counts but cannot approve
payments."

System roles cannot be edited directly. If you open a system role for editing, Arcus
blocks the edit and tells you to duplicate it instead.

## Permission Groups To Review Carefully

| Area                                | Why it is sensitive                                                              |
| ----------------------------------- | -------------------------------------------------------------------------------- |
| Users, roles, and organization      | Can invite people, remove access, reset MFA, or grant higher access.             |
| Accounting and period close         | Can post entries, pay bills, close periods, or change financial statements.      |
| Payments, refunds, and credits      | Can move money, reverse money, or change customer balances.                      |
| Inventory adjustments and overrides | Can change stock and inventory value outside normal workflows.                   |
| Returns and fulfillment overrides   | Can restock, write off, ship, void labels, or bypass operational checks.         |
| Settings and integrations           | Can change defaults that affect tax, shipping, email, documents, and connectors. |
| Audit and reports                   | Can view sensitive operational or compliance history.                            |

Use a second reviewer for high-risk roles when possible.

## Assign Roles Safely

Roles are assigned from user management surfaces.

* Use **Organization Users** when inviting a person or managing entity memberships.
* Use **Entity Team** for day-to-day role changes inside the active entity.
* Use **Location Access** when the user should only work in certain warehouses or locations.
* Use **Custom Permissions** only when a one-off override is truly needed.

Prefer a clean custom role over many user-specific overrides. Roles are easier to
audit and easier to explain during onboarding and offboarding.

Custom permissions override the selected role's default permissions for one user.
Keys that are omitted fall back to the role default. In the editor, checked means
allowed and unchecked means denied. Use **Reset all to role defaults** when the
exception is no longer needed.

## Use Role Coverage Report

Open **Admin**, then **Role Coverage Report**. The report shows active
users, their role, custom role, and effective permissions after role defaults and
overrides are applied.

<Frame caption={"Role Coverage helps admins confirm who has each permission after role defaults and user-level overrides are combined."}>
  <img src="https://mintcdn.com/arcuserp/5v8ggAMP6rzMRoYX/images/support/screenshots/admin-access/role-coverage.png?fit=max&auto=format&n=5v8ggAMP6rzMRoYX&q=85&s=4938bb0d19d68be839c2ce9fe9db0dfb" alt="Role Coverage Report page showing users, roles, and effective permission columns" width="1640" height="980" data-path="images/support/screenshots/admin-access/role-coverage.png" />
</Frame>

Use it for:

* Onboarding review after assigning a role.
* Offboarding review before removing final access.
* Quarterly access review.
* Troubleshooting a permission-denied report.
* Confirming custom overrides did not grant more access than intended.
* CSV review when a compliance reviewer needs the effective permission matrix outside Arcus.

## Troubleshoot Permission Problems

| Problem                                    | Check                                                                    |
| ------------------------------------------ | ------------------------------------------------------------------------ |
| User cannot see a module                   | Role permission, module setting, entity membership, and location access. |
| User can see a page but cannot act         | Action-level permission may be missing. Review the Role Coverage Report. |
| User cannot approve                        | Approval workflow settings and the user's approval-related permissions.  |
| User cannot assign Owner                   | Only owner-level users can grant owner-level access.                     |
| Custom role changed but user still blocked | Refresh the session and verify entity context.                           |
| Too many one-off overrides exist           | Convert common override patterns into a clean custom role.               |

## Common Blocks

* **System role cannot be edited**: duplicate it, then edit the custom copy.
* **Save is disabled**: role name is required.
* **Permission key is confusing**: compare it with the page or action the user needs, then verify with Role Coverage.
* **User has access in sandbox but not production**: roles are assigned per entity.
* **New location is invisible to a user**: update location access after adding the location.
* **Role cleanup is overdue**: export or review Role Coverage, remove stale overrides, and deactivate unused custom roles only after users are reassigned.

## Related Articles

<CardGroup cols={2}>
  <Card title="User Management" href="/support/settings/users">
    Invite users, assign entity access, restrict locations, reset MFA, and manage current entity users.
  </Card>

  <Card title="Organization, Entities, and API Access" href="/support/settings/organization-access">
    Manage organization overview, entities, user access, and organization-level safety controls.
  </Card>

  <Card title="Audit Log and Compliance" href="/support/settings/audit-compliance">
    Review audit activity, compliance reports, saved filters, and user access history.
  </Card>

  <Card title="Profile and Security" href="/support/settings/profile-security">
    Manage your own profile, PIN, MFA factors, security keys, and recovery options.
  </Card>
</CardGroup>
