> ## Documentation Index
> Fetch the complete documentation index at: https://docs.ofatoura.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Creating Roles and Applying Permission Tiers

> Create and manage custom staff roles in the oFatoura web admin, set permissions with the module-grouped grid, and apply Starter, Standard, and Advanced permission tiers.

Roles decide what each staff member can see and do across the web admin and the ePOS waiter app. Instead of granting permissions one at a time, you build a role once, assign permissions to it, and then give that role to your staff. This page covers creating roles, editing and deleting them, and using the permission grid and ready-made tier presets.

You manage roles in the browser dashboard under **Settings > Role Settings**.

<Note>
  **Permissions:** You need the **Manage Settings** permission to open Role Settings and to change any role or its permissions.
</Note>

## How roles work

Every role belongs to your restaurant, so two different restaurants can each have a role called, for example, "Cashier" without any conflict. You only ever see and edit the role's display name.

Some roles are **protected** and cannot be renamed or deleted, because the system relies on them. These include **Admin**, **Super Admin**, **Branch Head**, **Waiter**, and **Chef**. You can still change the permissions on the editable ones, but the roles themselves stay in place.

## Creating a role

<Steps>
  <Step title="Open Role Settings">
    Go to **Settings > Role Settings** in the web admin.
  </Step>

  <Step title="Add a new role">
    Choose to add a new role and enter a **display name**. The name must be unique within your restaurant.
  </Step>

  <Step title="Optionally copy from an existing role">
    Use the **Copy from** dropdown to start from another role's permission set instead of an empty one. This is the fastest way to make a small variation of a role you already trust.
  </Step>

  <Step title="Save the role">
    Save to create the role. It now appears in the role list and becomes available when assigning roles to staff.
  </Step>
</Steps>

<Tip>
  Copying from a similar role and then trimming a few permissions is usually faster and safer than building a role from scratch.
</Tip>

## Renaming a role

You can edit a role's display name inline, directly in the role list. Protected roles (Admin, Super Admin, Branch Head, Waiter, Chef) cannot be renamed.

## Deleting a role

When you delete a role, any staff currently assigned to it need a new role. Deleting a role opens a **reassignment step** so you can move those staff to a different role before the original is removed. Protected roles cannot be deleted.

<Warning>
  Make sure the replacement role you pick during reassignment has the permissions those staff actually need. Moving people to a role with fewer permissions can suddenly block them from tasks they did before.
</Warning>

## Setting permissions with the grid

Each role's permissions are managed in a checkbox grid. Permissions are **grouped by module** (for example, orders, payments, menu, settings) so related capabilities sit together. Every permission shows a short description, and permissions that also apply to the ePOS waiter app carry a **waiter-app badge**.

To make the grid easier to work through, you can narrow what's shown:

* **Module filter** — show only the permissions for one module at a time.
* **Search box** — type part of a permission name to jump straight to it.
* **Waiter App Only toggle** — show only the permissions that affect the ePOS waiter app.

Tick a permission to grant it to the role, untick to remove it. Changes apply to everyone who holds that role.

<Note>
  When you add or remove a permission, the change is pushed out so the ePOS waiter app picks up the new rules the next time it refreshes a user's permissions.
</Note>

## Applying permission tiers

Tiers are ready-made permission bundles that let you set up a sensible role in one step instead of ticking dozens of boxes. There are three:

| Tier         | Best for                                                     |
| ------------ | ------------------------------------------------------------ |
| **Starter**  | The smallest, most limited set of capabilities.              |
| **Standard** | Everyday operational access; includes everything in Starter. |
| **Advanced** | The broadest set; includes everything in Standard.           |

The tiers are **cumulative**: Standard contains all of Starter, and Advanced contains all of Standard. Choosing a higher tier always adds to (never reduces below) the tier beneath it.

<Steps>
  <Step title="Pick a tier">
    In the tier selector, choose **Starter**, **Standard**, or **Advanced**.
  </Step>

  <Step title="Choose the target role">
    Select the role you want the tier applied to.
  </Step>

  <Step title="Apply">
    Apply the tier to load that bundle of permissions onto the role in one action.
  </Step>
</Steps>

<Tip>
  Apply a tier first to get a solid baseline, then use the permission grid to fine-tune — adding or removing the few extra permissions a particular role needs.
</Tip>

## Related

<Columns cols={2}>
  <Card title="Adding and Managing Staff Members" icon="users" href="/staff/adding-staff">
    Create staff accounts and assign each person a role.
  </Card>

  <Card title="Per-User Permission Overrides" icon="user-check" href="/staff/user-permission-overrides">
    Grant or deny individual permissions for a single staff member.
  </Card>

  <Card title="Manager Override PINs" icon="key" href="/staff/manager-override-pins">
    Require manager approval for sensitive actions like refunds and voids.
  </Card>

  <Card title="Staff and Permissions Overview" icon="shield" href="/staff/index">
    See how staff, roles, and permissions fit together.
  </Card>
</Columns>
