Appearance
Skip to content
Are you an LLM? You can read better optimized documentation at /administration/roles/capabilities.md for this page in Markdown format
Capabilities Reference
Every capability that can be configured on a role is listed here, grouped by functional area.
The Permission Model
Every capability can be set to one of three states on a role:
| State | Meaning |
|---|---|
| Granted | The capability is explicitly allowed by this role. The user can perform the action unless another of their roles explicitly denies it. |
| Inherited | The capability is neutral — it will be granted only if another of the user's roles grants it. |
| Denied | The capability is explicitly forbidden. This takes precedence over all other roles — even if another role grants it, the denial wins. |
Precedence rule: Deny always beats Grant. If any single role on a user denies a capability, the user does not have it, regardless of how many other roles grant it.
Users & Roles
| Capability | What it controls |
|---|---|
users:read | View user records |
users:update | Edit user configuration and role assignments |
users:audit | View the user audit log |
roles:read | View role records |
roles:create | Create new roles |
roles:update | Edit existing roles |
roles:audit | View the role audit log |
Tenants
| Capability | What it controls |
|---|---|
tenant:read | View tenant records |
tenant:read:channels | View a tenant's payment channel configuration |
tenant:read:domains | View a tenant's domain assignments |
tenant:read:adapter | View a tenant's adapter configuration |
tenant:read:email | View a tenant's email settings |
tenant:read:support | View a tenant's customer support and live chat settings |
tenant:read:api:credentials | View a tenant's API credentials |
tenant:read:webhooks | View a tenant's webhook configuration |
tenant:audit | View the tenant audit log |
tenant:create | Create new tenants |
tenant:update:basic | Edit a tenant's core fields |
tenant:update:branding | Edit a tenant's branding and checkout appearance |
tenant:update:channels | Edit a tenant's payment channel assignments |
tenant:update:domains | Edit a tenant's domain assignments |
tenant:update:adapter | Edit a tenant's adapter configuration |
tenant:update:email | Edit a tenant's email settings |
tenant:update:support | Edit a tenant's customer support and live chat settings |
tenant:manage:api:credentials | Create, rotate, and revoke a tenant's API credentials |
tenant:manage:webhooks | Create and manage a tenant's webhooks |
tenant:manage:activation | Activate or deactivate a tenant |
Payment Service Providers
| Capability | What it controls |
|---|---|
payment_service_provider:read | View PSP records |
payment_service_provider:read:adapter | View a PSP's adapter configuration |
payment_service_provider:read:restrictions | View a PSP's restriction rules |
payment_service_provider:audit | View the PSP audit log |
payment_service_provider:create | Create new PSPs |
payment_service_provider:update:basic | Edit a PSP's core fields |
payment_service_provider:update:adapter | Edit a PSP's adapter configuration |
payment_service_provider:update:restrictions | Edit a PSP's restriction rules |
payment_service_provider:update:activation | Activate or deactivate a PSP |
Payment Intent Tickets
| Capability | What it controls |
|---|---|
payment_intent_ticket:read | View payment intent ticket records |
payment_intent_ticket:read:pii | View PII fields on payment intent tickets |
payment_intent_ticket:read:psp | View PSP-level fields on payment intent tickets |
payment_intent_ticket:read:crm | View CRM-linked fields on payment intent tickets |
payment_intent_ticket:audit | View the payment intent ticket audit log |
payment_intent_ticket:create | Manually create payment intent tickets |
payment_intent_ticket:disposition | Approve or reject a payment intent ticket |
payment_intent_ticket:disposition:override | Override a payment intent ticket disposition |
payment_intent_ticket:reconcile | Manually reconcile a payment intent ticket |
payment_intent_ticket:disable:crm_sync | Disable CRM sync on a payment intent ticket |
Checkout Intent Tickets
| Capability | What it controls |
|---|---|
checkout_intent_ticket:read | View checkout intent ticket records |
checkout_intent_ticket:audit | View the checkout intent ticket audit log |
Customers
| Capability | What it controls |
|---|---|
tenant_customer:read | View tenant customer records |
tenant_customer:read:pii | View PII fields on tenant customers |
tenant_customer:audit | View the tenant customer audit log |
psp_customer_account:read | View PSP customer account records |
psp_customer_account:read:pii | View PII fields on PSP customer accounts |
psp_customer_account:audit | View the PSP customer account audit log |
Reference Data
| Capability | What it controls |
|---|---|
currency:read | View currency records |
currency:sync | Trigger a manual currency rate sync |
domain:read | View domain records |
Integrations
| Capability | What it controls |
|---|---|
integrations:psp:read | View PSP integration records |
integrations:psp:create | Register new PSP integrations |
integrations:psp:update | Edit PSP integration configuration |
integrations:psp:dev-uat | Promote a PSP integration to dev-uat state |
integrations:psp:production-uat | Promote a PSP integration to production-uat state |
integrations:crm:read | View CRM integration records |
integrations:crm:create | Register new CRM integrations |
integrations:crm:update | Edit CRM integration configuration |
integrations:crm:dev-uat | Promote a CRM integration to dev-uat state |
integrations:crm:production-uat | Promote a CRM integration to production-uat state |
Debug & Operations
| Capability | What it controls |
|---|---|
system:webhooks:read | View and test system-wide outbound webhooks |
system:webhooks:manage | Create, edit, enable, disable, and delete system-wide outbound webhooks |
auditLog:monitor | View the global audit log and per-record audit tabs |
queues:monitor | View queue job status |
queues:manage | Requeue and manage jobs |
webhooks:monitor | View webhook delivery logs |
webhooks:manage | Reprocess webhook deliveries |
crons:monitor | View scheduled cron job status |
postman:access | Access the HTTP Requester tool |
terminal:access | Access the terminal tool |
application:versions | View application version information |