Security & RBAC
Enterprise-grade security with granular roles, permissions, multi-tenant isolation, audit trails, and API token management.
Without proper access control
- Everyone has admin access, or access is controlled by unreliable shortcuts like is_staff.
- Data leaks across tenants because queries are not scoped to the authenticated company.
- Unauthorized changes go undetected because there is no audit trail.
- Roles are hardcoded in frontend code and drift out of sync with backend enforcement.
With Vender Security & RBAC
- Granular, typed permissions with explicit checks on every endpoint. No shortcuts.
- Multi-tenant isolation ensures users only see data within their company boundary.
- Custom permissions override role defaults for fine-grained access control.
- Full audit trail captures every mutating action for compliance and forensics.
Key Capabilities
Granular Permissions
Typed permission catalog with explicit checks on every endpoint. No ad-hoc strings or hidden shortcuts — every action is authorized.
Role-Based Access
Predefined roles via the UserRole enum with sensible defaults. Assign users to roles and inherit permissions automatically.
Multi-Tenant Isolation
Every data query is scoped to the authenticated company. Users cannot see or modify data outside their tenant boundary.
Custom Permission Overrides
Override role defaults with custom permissions per user. Fine-tune access without creating new roles for every edge case.
Audit Integration
Every mutating action is logged with user identity, timestamp, and before/after state. Review audit trails for compliance and forensics.
How It Works
Define Roles and Permissions
Use the typed RBAC catalog to define roles and permission groups. Roles map to business functions — admin, sales, warehouse, finance.
Assign Users to Roles
Assign each user a role in admin. Custom permissions can override defaults for users who need specialized access.
Enforce at Every API Endpoint
Every protected endpoint validates the JWT, checks permissions, and applies the company_id filter before executing any query.
Review Audit Logs for Compliance
Audit logs capture every mutating action with user, timestamp, and state changes. Export logs for compliance reviews or investigations.
Available On
Security & RBAC is configured and managed in Admin. Permissions are enforced across all surfaces — Admin, POS, Mobile, and B2B Portal.
Related Features
Ready to secure your wholesale operation?
See how Vender Security & RBAC gives you enterprise-grade access control with full audit visibility.