Roles & Permissions

CANNEVO uses a role hierarchy to control access to features and data within the Admin Portal.

Roles Overview

From highest to lowest privilege:

Role	Description
tenant_admin	Full access. Can manage all roles, settings, and data.
compliance_officer	Full compliance access: audit log, breaches, DSARs, break-glass.
inventory_manager	Manage inventory: batches, harvests, strains, grow zones, production.
dispensing_staff	Process dispensing events and preorders. View member quotas.
member	Read-only: own profile, quota, and dispensing history via member portal only.

Page Access by Role

Page	Minimum Role
Dashboard	Any role
Members (read)	dispensing_staff
Members (edit/register)	tenant_admin
Inventory	inventory_manager
Dispensing	dispensing_staff
Production	inventory_manager
Records	dispensing_staff
Reports	compliance_officer
Compliance (audit, breaches, DSAR)	compliance_officer
Settings	tenant_admin
Documentation	Any staff role

Assigning Roles

1. Go to Members → select a member.
2. Click Change Role.
3. Select the new role from the dropdown.
4. Click Save.

Dual Approval for tenant_admin

Assigning or removing the tenant_admin role requires two approvals:

1. The requesting user submits the role change.
2. A different tenant_admin must approve or reject the request.

This prevents any single person from escalating their own privileges.

To review pending approvals: Go to Settings → Approvals (or the Dashboard will show a notification).

Managing Your Own Account

Go to Settings → Profile to:

• Update your name and email
• Change your password
• Enrol or manage Two-Factor Authentication (MFA)

Two-Factor Authentication

MFA adds a second layer of security to your login. If your club's tenant_admin has enabled MFA for your role, you will be prompted for a TOTP code at login.

To enrol MFA:

1. Go to Settings → Security.
2. Scan the QR code with your authenticator app (Google Authenticator, Authy, 1Password, etc.).
3. Enter the 6-digit confirmation code.
4. Save your backup codes in a secure location.