Understanding the Permissions Matrix

Learn how global and brand-specific permissions work in Optiq, and how to configure role-based access for your organisation.

Written By Chris Germon

Last updated About 1 month ago

Overview

The Permissions Matrix in Optiq controls what each role (permission level) can see and do across the platform. It works on two levels: global defaults that apply system-wide, and brand-specific overrides that let you customise permissions for individual brands.

Key Concepts

Permission Levels (Roles)

Optiq comes with built-in permission levels that represent different roles in your organisation:

  • Staff β€” Standard team members
  • Location Manager β€” Manages a specific location
  • Scheduling Manager β€” Manages rosters and schedules
  • Senior Manager β€” Oversees multiple locations or teams
  • Payroll Admin β€” Manages pay and payroll
  • Super Admin β€” Full system access

Function Scope

Each system function (e.g. Schedules, Timesheets, Leave) can be set to one of three access levels per role:

  • Read β€” Can view but not change
  • Write β€” Can view and make changes
  • None β€” No access

Data Scope

In addition to what actions a role can perform, you can also control whose data they can see:

  • My Data β€” Only their own records
  • Managed Data β€” Their own records plus those of staff they manage
  • All Data β€” Everything across the organisation

Global Permissions (System Default)

Global permissions are the baseline settings that apply across your entire organisation, regardless of brand. When you open the Permissions Matrix without selecting a brand, you are editing the global defaults.

How to set global permissions

  1. Navigate to Settings β†’ Roles & Permissions
  2. Select the permission level (role) you want to configure
  3. For each system function, set the Function Scope (Read/Write/None) and Data Scope (My Data/Managed Data/All Data)
  4. Save your changes

These settings will apply to all brands and locations unless a brand-specific override exists.

Brand-Specific Permission Overrides

If you have multiple brands and need different permission rules for a specific brand, you can create brand-specific overrides. These take priority over the global defaults for that brand only.

How to set brand-specific permissions

  1. Navigate to Settings β†’ Roles & Permissions
  2. Select the brand you want to customise from the brand selector
  3. You will see the current permissions (inherited from global defaults)
  4. Modify the Function Scope or Data Scope for any role/function combination
  5. Save your changes β€” these overrides now apply only to that brand

How to reset brand permissions back to defaults

If you want to remove all brand-specific overrides and revert to the global defaults:

  1. Navigate to the brand-specific permission view
  2. Click Reset to Defaults
  3. All brand-specific overrides will be removed and the global permissions will apply again

How Permissions Are Evaluated

When a staff member performs an action, Optiq checks permissions in this order:

  1. User-specific overrides β€” If the individual staff member has been granted a specific permission exception (e.g. temporary elevated access), this takes highest priority
  2. Brand-specific permissions β€” If the action relates to a specific brand and that brand has a custom permission override, it is used
  3. Global default permissions β€” If no brand-specific override exists, the system-wide default is used

Common Scenarios

Restrict schedule editing for a specific brand

Set the global Schedule permission to Write for Location Managers, but create a brand-specific override for the target brand setting Schedule to Read for Location Managers. Managers at that brand can view but not edit schedules.

Give a staff member temporary admin access

Rather than changing their permission level, use a user-specific permission override with an expiry date. The elevated access will automatically expire without needing to remember to revoke it.

Different payroll visibility per brand

Set global Payroll data scope to My Data for most roles, but override it to All Data for Payroll Admins at a specific brand that manages payroll centrally.

Tips

  • Start with sensible global defaults and only create brand overrides where truly needed
  • Use the permission matrix view to see all roles and functions at a glance
  • Remember that Super Admins always have full access regardless of permission settings
  • Changes to permissions take effect immediately β€” no restart or logout required
  • Review permissions periodically to ensure they still match your organisational needs