Skip to main content

Overview

jshERP implements a comprehensive Role-Based Access Control (RBAC) system that allows administrators to define roles and assign specific permissions to users. The system supports function-level permissions, button-level controls, and price visibility restrictions.
Roles are tenant-scoped, meaning each tenant can define their own roles independently. System-level roles are available across all tenants.

Role Structure

Each role in jshERP contains:
id
Long
Unique role identifier
name
String
required
Role display name (e.g., “Sales Manager”, “Warehouse Clerk”)
type
String
required
Role type defining scope and permissions level
priceLimit
String
Price visibility restrictions (see Price Limits section)
value
String
Role value used for internal logic
description
String
Detailed role description
enabled
Boolean
Whether the role is active
sort
String
Display order for role listing
tenantId
Long
Associated tenant ID (null for system roles)
Reference: Role.java:1-103

Creating Roles

1

Navigate to Role Management

Access the role management interface from the admin panel.
2

Create New Role

Click “Add Role” and configure:
POST /role/add
Request Body:
{
  "name": "Sales Manager",
  "type": "sales",
  "description": "Manages sales operations and team",
  "priceLimit": "1,2,3",
  "enabled": true,
  "sort": "10"
}
Reference: RoleController.java:68-74
3

Assign Functions

Link specific functions (menu items, features) to this role through the UserBusiness relationship with type “RoleFunctions”.
4

Configure Permissions

Set up button-level permissions and price visibility restrictions.

Permission Types

Function Permissions

Functions represent menu items, pages, and major features in the system. Each function has:
number
String
Unique function identifier (e.g., “01”, “0101”)
name
String
Display name of the function
parentNumber
String
Parent function for hierarchical menu structure
url
String
Route URL for navigation
component
String
Frontend component path
type
String
Function type (menu, button, etc.)
pushBtn
String
Associated button permissions (comma-separated)
icon
String
Icon identifier for UI display
state
Boolean
Open/closed state for tree navigation
enabled
Boolean
Whether function is active
Reference: Function.java:1-133

Button Permissions

Button-level permissions control specific actions within pages:
  • Create/Add
  • Edit/Update
  • Delete
  • Import/Export
  • Approve/Audit
  • Print
  • Custom actions
Button permissions are stored in the pushBtn field of Function entities and assigned to roles via UserBusiness relationships. Reference: UserController.java:438-456

Price Visibility Controls

jshERP includes sophisticated price visibility restrictions to control what financial information different roles can see.

Price Limit Codes

1
Price Type
Home Purchase Price - Hide purchase prices on homepage/dashboard
2
Price Type
Home Retail Price - Hide retail prices on homepage/dashboard
3
Price Type
Home Sales Price - Hide sales prices on homepage/dashboard
4
Price Type
Purchase Bill Price - Hide prices in purchase documents
5
Price Type
Retail Bill Price - Hide prices in retail documents
6
Price Type
Sales Bill Price - Hide prices in sales documents

Configuring Price Limits

Set the priceLimit field as a comma-separated string of limit codes: 
{
  "name": "Warehouse Staff",
  "priceLimit": "1,4,6"
}
This configuration hides:
  • Purchase prices on homepage (1)
  • Prices in purchase bills (4)
  • Prices in sales bills (6)
Reference: RoleService.java:240-298

Price Masking Logic

When a user has price restrictions: 
if (priceLimit.contains("4")) {
    // Hide purchase bill prices
    price = null; // or "***" placeholder
}
The system automatically:
  1. Checks user’s role priceLimit setting
  2. Compares against current page/bill type
  3. Masks prices matching the restriction codes
Reference: RoleService.java:264-298

Role Assignment

Assigning Roles to Users

Users can have multiple roles simultaneously: 
GET /role/findUserRole?UBType=UserRole&UBKeyId={userId}
Returns available roles with checkmarks for currently assigned ones. Reference: RoleController.java:119-144

Role Functions Assignment

Link functions to roles through the UserBusiness table:
  • Type: “RoleFunctions”
  • Key ID: Role ID
  • Value: Comma-separated function IDs in format [1],[2],[3]
Reference: UserService.java:862-876

API Endpoints

Get Role Information

GET /role/info?id={roleId}
Returns detailed role information including price limits. Reference: RoleController.java:44-56

List All Roles

GET /role/list?search={searchParams}
Search parameters:
  • name: Filter by role name
  • description: Search in description
Reference: RoleController.java:58-66

List Tenant Roles

GET /role/tenantRoleList
Returns only roles belonging to the current tenant (excludes system roles). Reference: RoleController.java:152-156

List All Roles (Including System)

GET /role/allList
Returns all available roles including system-level roles. Reference: RoleController.java:146-150

Update Role

PUT /role/update
Request Body: 
{
  "id": 123,
  "name": "Updated Role Name",
  "description": "New description",
  "priceLimit": "1,2",
  "enabled": true
}
Reference: RoleController.java:76-82

Delete Roles

DELETE /role/delete?id={roleId}
DELETE /role/deleteBatch?ids={id1,id2,id3}
Deleting a role will affect all users assigned to that role. Ensure users have alternative roles before deletion.
Reference: RoleController.java:84-98

Batch Operations

Enable/Disable Multiple Roles

POST /role/batchSetStatus
Request Body: 
{
  "status": true,
  "ids": "1,2,3"
}
Reference: RoleController.java:164-177

Permission Checking

Get Current User Price Limit

GET /user/getCurrentPriceLimit
Returns the price limit configuration for the current user’s role. Reference: UserController.java:389-405

Get Current User Role Type

GET /user/getRoleTypeByCurrentUser
Returns the role type for the authenticated user. Reference: UserController.java:412-429

Get User Button Permissions

GET /user/getUserBtnByCurrentUser
Returns an array of button permission strings for the current user.
The admin user bypasses all permission checks and has access to everything.
Reference: UserController.java:438-456

Common Role Configurations

System Administrator

{
  "name": "System Administrator",
  "type": "admin",
  "priceLimit": "",
  "description": "Full system access"
}

Sales Manager

{
  "name": "Sales Manager",
  "type": "sales",
  "priceLimit": "1,4",
  "description": "Manages sales team, cannot see purchase prices"
}

Warehouse Staff

{
  "name": "Warehouse Staff",
  "type": "warehouse",
  "priceLimit": "1,2,3,4,5,6",
  "description": "Inventory management only, no price visibility"
}

Accountant

{
  "name": "Accountant",
  "type": "finance",
  "priceLimit": "",
  "description": "Full financial visibility, no operational permissions"
}

Validation

Check Role Name Uniqueness

GET /role/checkIsNameExist?id={id}&name={name}
Validates whether a role name is already in use. Reference: RoleController.java:100-112

Multi-Tenant Considerations

Tenant Isolation:
  • Roles with tenantId = null are system roles available to all tenants
  • Roles with a specific tenantId are only visible to that tenant
  • Users can only be assigned roles from their own tenant or system roles

Best Practices

Security Recommendations:
  • Follow the principle of least privilege
  • Regularly audit role assignments
  • Use descriptive role names that reflect business functions
  • Test permission changes in a non-production environment
  • Document custom role configurations
Role Design Tips:
  • Create roles based on job functions, not individuals
  • Keep the number of roles manageable (5-15 is typical)
  • Use price limits to separate operational from financial roles
  • Combine function permissions with button permissions for granular control
  • Consider role hierarchy in your organization

Permission Flow

1

User Authentication

User logs in and system retrieves their role assignments.
2

Role Resolution

System loads all roles assigned to the user.
3

Function Loading

For each role, load associated functions via UserBusiness (RoleFunctions).
4

Permission Aggregation

Combine all functions and buttons from all user roles.
5

UI Rendering

Frontend displays only permitted menus and buttons.
6

Price Masking

Apply price limits from roles to hide restricted financial data.

Build docs developers (and LLMs) love

Get started for freeTalk to us