Authorization

Control who can access what within your organization.

Overview

Olympus Cloud uses a role-based access control (RBAC) system with:

Roles - Collections of permissions
Permissions - Specific actions on resources
Policies - Conditional access rules
Multi-tenancy - Isolation between organizations

Roles

System Roles

Role	Description
Super Admin	Full platform access
Organization Owner	Full organization access
Organization Admin	Manage organization settings and users
Location Manager	Manage specific locations
Staff Member	Standard operational access
Read Only	View-only access

Custom Roles

Create roles tailored to your needs:

Go to Settings > Roles
Click Create Role
Name and describe the role
Select permissions
Save

Permissions

Permission Structure

Permissions follow the pattern: resource:action

Resource	Actions
orders	create, read, update, delete, void, refund
menu	create, read, update, delete, publish
users	create, read, update, delete, invite
reports	read, export
settings	read, update

Permission Categories

Category	Permissions
Order Management	Create orders, process payments, void
Menu Management	Edit items, pricing, availability
Staff Management	Add users, assign roles, schedule
Financial	View reports, export data, refunds
Configuration	Update settings, integrations

Assigning Roles

To Users

Go to Users
Select user
Click Edit Roles
Assign roles
Save

Role Inheritance

Users can have multiple roles
Permissions are additive
Most permissive access wins

Location-Based Access

Scoped Access

Limit users to specific locations:

Assign role with location scope
User only sees that location's data
Actions restricted to scope

Multi-Location Users

For users across locations:

Assign role per location
Or use organization-wide role
Configure default location

Policies

Policy Types

Type	Description
Time-Based	Access during specific hours
IP-Based	Access from specific networks
Location-Based	Access from geographic regions
Device-Based	Access from trusted devices
Risk-Based	Dynamic access based on risk score

Creating Policies

Go to Settings > Policies
Click Create Policy
Define conditions
Set enforcement action
Assign to roles or users

Policy Examples

Office Hours Only:

Allow access when:
- Time is 6:00 AM - 10:00 PM local
- Day is Monday - Sunday

Corporate Network:

Allow access when:
- IP is in trusted range
- OR device is registered

Multi-Tenant Authorization

Tenant Isolation

Users belong to one organization
Cannot access other tenants' data
Strict boundary enforcement

Cross-Tenant Access

danger

Cross-tenant data access bypasses normal isolation boundaries. All cross-tenant access requires explicit permission, is fully audited, and must use time-limited sessions. Unauthorized cross-tenant queries are treated as security incidents.

For platform administrators:

Explicit permission required
Audited access
Time-limited sessions

API Authorization

Token Permissions

API tokens include:

User's role permissions
Explicit token scope restrictions
Resource-level access

Checking Permissions

Before operations:

Token validated
User permissions loaded
Resource access checked
Action allowed or denied

Audit Logging

Logged Events

Event	Details
Permission Granted	Who, what, when
Permission Denied	Who, what, why
Role Change	User, old/new roles
Policy Violation	User, policy, action

Viewing Audit Logs

Go to Security > Audit Logs
Filter by user, action, time
Review entries
Export if needed

Best Practices

Role Design

Keep roles focused
Use descriptive names
Document purpose
Review regularly

Permission Assignment

Best Practice

Follow the principle of least privilege: assign only the permissions a user needs for their role. Use roles rather than granting individual permissions, and schedule quarterly access reviews to remove unused permissions.

Follow least privilege
Use roles, not individual permissions
Regular access reviews
Remove unused permissions

Policy Management

Test before enforcing
Monitor impact
Communicate changes
Keep policies simple

Troubleshooting

Common Issues

Issue	Solution
Can't access feature	Check role permissions
Action denied	Check policy restrictions
Can't see location	Verify location scope
API returns 403	Check token scope

Diagnosing Access Issues

Check user's roles
Review role permissions
Check applicable policies
Review audit log for denials

Overview​

Roles​

System Roles​

Custom Roles​

Permissions​

Permission Structure​

Permission Categories​

Assigning Roles​

To Users​

Role Inheritance​

Location-Based Access​

Scoped Access​

Multi-Location Users​

Policies​

Policy Types​

Creating Policies​

Policy Examples​

Multi-Tenant Authorization​

Tenant Isolation​

Cross-Tenant Access​

API Authorization​

Token Permissions​

Checking Permissions​

Audit Logging​

Logged Events​

Viewing Audit Logs​

Best Practices​

Role Design​

Permission Assignment​

Policy Management​

Troubleshooting​

Common Issues​

Diagnosing Access Issues​

Related Guides​