Skip to content

Roles & permissions basics

Villva ERP controls access with roles. This page explains the ideas; the day-to-day management screens are covered in Users & roles.

  • Every user has a role. The role decides which modules and actions they can use.
  • Permissions are deny-by-default: nothing is allowed unless the role explicitly grants it. An empty role can do nothing.
  • Roles are flat: one role never inherits from another. If a user holds more than one grant set, they get the combination of everything granted.
  • Permissions are checked on every action, live. When you change a role or a user’s access, it takes effect on their next action, no need for them to sign out and back in.

For each module your organisation uses, a role can be granted any mix of six actions:

  • View: see the records
  • Create: add new records
  • Edit: change existing records
  • Delete: remove records
  • Approve: sign off where approvals apply
  • Export: download or export data

Export is separate from View on purpose: you can let someone read data on screen without letting them extract it to a file.

Each organisation begins with predefined roles, Admin, Manager, User, Viewer, and Customer portal: so you are usable from day one. Admin, Viewer and Customer portal are system roles: you cannot rename or delete them, but you can clone them as a starting point for a role of your own. Manager and User can be edited.

As an Org Admin you can go well beyond the defaults:

  • Create custom roles for your specific job functions.
  • Clone an existing role and adjust it, instead of starting from scratch.
  • Import a role template from Villva’s curated library (for example “finance read-only”).
  • Restrict which records a user sees by department, region or assignment (data scope), not just which modules.
  • Mask sensitive fields (like salary or bank details) from roles that shouldn’t see them.
  • Deny a single permission to one user without rebuilding their role.
  • Time-box a role so temporary access expires on its own.

See Users & roles for the step-by-step for each of these.

  • Everyone keeps at least one role. You can replace a user’s role, but you cannot leave them with none.
  • The last admin is protected. You cannot remove the role from, or deactivate, the only remaining Org Admin in your organisation.

Before you rely on a setup, use the “what can this user do” inspector to see exactly which modules, actions, data scope and fields a person can reach. It reflects the live rules, so what it shows is what will actually happen. You can also preview who gains or loses access before saving a permission change.