DocsMSP SetupPermissions reference

Permissions reference

Every action in Tether is protected by a permission key. Roles set default permissions. Per-user overrides let you grant or revoke individual permissions on top of the role.

How permissions work

The effective permission set for a user is calculated as follows:

  1. Start with all permissions granted by the user's role
  2. Apply any individual overrides — Grant adds a permission the role doesn't include; Revoke removes a permission the role would otherwise provide
  3. The resulting set is checked server-side on every API request

This means you can give a client_viewer the ability to check assets out by granting assets.checkout, or prevent a client_admin from deleting assets by revoking assets.delete — without creating any new roles.

Permissions are enforced server-side

The frontend uses permissions to show or hide UI elements, but every API endpoint independently validates the caller's permissions. It is not possible to bypass permissions by calling the API directly — the check happens in the backend regardless of how the request arrives.

All permission keys

Permission keyWhat it controlsAffected endpoints
assets.viewView the asset list and individual asset detail pagesGET /api/assets, GET /api/assets/{id}
assets.createCreate new asset recordsPOST /api/assets
assets.editEdit existing asset fields (name, serial, cost, etc.)PUT /api/assets/{id}
assets.deleteDelete asset records permanentlyDELETE /api/assets/{id}
assets.checkoutCheck an asset out to a personPOST /api/assets/{id}/checkout
assets.checkinCheck an asset back inPOST /api/assets/{id}/checkin
assets.importImport assets via CSV uploadPOST /api/assets/import/csv
assets.exportExport assets to a CSV fileGET /api/assets/export/csv
categories.manageCreate, rename, and delete asset categories/api/categories
locations.manageCreate, rename, and delete locations/api/locations
employees.manageCreate, edit, and delete people (employees assets are assigned to)/api/employees
users.manageCreate, edit, deactivate, and delete user accounts within the tenant/api/users
reports.viewView reports and summary statisticsDashboard stats endpoints
settings.manageEdit tenant settings: name, logo, currency, accent colourPUT /api/settings
tenants.manageCreate, edit, and delete client tenants — MSP only/api/tenants
msp.dashboardAccess the cross-client MSP dashboard and statsGET /api/dashboard/msp
msp.impersonateAccess any client tenant as MSP staffHost-header-based tenant scoping

Role default permissions

Permissionmsp_adminmsp_technicianclient_adminclient_managerclient_viewer
assets.viewYesYesYesYesYes
assets.createYesYesYesYesNo
assets.editYesYesYesYesNo
assets.deleteYesYesYesNoNo
assets.checkoutYesYesYesYesNo
assets.checkinYesYesYesYesNo
assets.importYesYesYesYesNo
assets.exportYesYesYesYesYes
categories.manageYesYesYesYesNo
locations.manageYesYesYesYesNo
employees.manageYesYesYesYesNo
users.manageYesNoYesNoNo
reports.viewYesYesYesYesYes
settings.manageYesNoYesNoNo
tenants.manageYesNoNoNoNo
msp.dashboardYesYesNoNoNo
msp.impersonateYesYesNoNoNo

Editing permission overrides

  1. Go to Users (MSP-level or client-level)
  2. Find the user and click the lock icon (Perms)
  3. The permission editor shows each permission key with three columns:
    • Role default — whether the role includes this permission
    • Override — three options: Grant (always on), Revoke (always off), Default (follow the role)
    • Effective — the final result after applying the override
  4. Set overrides as needed and click Save Permissions
Overrides are additive, not replacements

When you set an override, it changes only that one permission — all other permissions remain as the role specifies. You do not need to re-specify all permissions when adding an override.

Checking permissions via API

The /api/auth/me endpoint returns the currently authenticated user's complete permission list:

http
GET /api/auth/me
Authorization: Bearer {token}

# Response includes:
{{
  "permissions": ["assets.view", "assets.create", "assets.edit", ...]
}}

Related pages

← Previous
Users & roles
Last updated: May 2026