Permissions
Arkan ERP uses role-based access control (RBAC) combined with feature gating to control what users can see and do.
Roles
Four roles are available, assigned per company:
| Role | Description | Typical Use |
|---|---|---|
| Owner | Full access, can manage billing and delete the organization | Founder, CEO |
| Admin | Full access to all modules and settings within a company | Department heads, IT |
| Member | Can create and edit records in enabled modules | Regular employees |
| Viewer | Read-only access to all enabled modules | External stakeholders, auditors |
Role Comparison
| Permission | Owner | Admin | Member | Viewer |
|---|---|---|---|---|
| View records | Yes | Yes | Yes | Yes |
| Create/edit records | Yes | Yes | Yes | No |
| Delete records | Yes | Yes | Limited | No |
| Manage members | Yes | Yes | No | No |
| Manage company settings | Yes | Yes | No | No |
| Manage billing | Yes | No | No | No |
| Delete organization | Yes | No | No | No |
| Access all companies | Yes | Per assignment | Per assignment | Per assignment |
Feature Gating
The platform uses 92 feature flags to control access to functionality based on the subscription plan. Features are gated at the API level using the @RequireFeature() decorator.
How It Works
@RequireFeature('accounting')
@Controller('accounting')
export class AccountingController {
// All routes in this controller require the 'accounting' feature
}If a user’s plan does not include the feature, the API returns 403 Forbidden.
Pricing Tiers
| Tier | Example Features |
|---|---|
| Free | Projects (up to 3), basic boards |
| Starter | Unlimited projects, CRM, basic reports |
| Professional | Accounting, HR, Inventory, advanced reports |
| Business | Multi-company, AI insights, API access, custom fields |
| Enterprise | SSO, audit logs, dedicated support, custom integrations |
Feature Flag Categories
| Category | Count | Examples |
|---|---|---|
| Core | 12 | Projects, boards, work items |
| CRM | 8 | Leads, deals, pipeline, proposals |
| Accounting | 15 | GL, invoicing, bank reconciliation, fixed assets |
| HR | 14 | Payroll, leave, attendance, recruitment |
| Inventory | 10 | Warehouses, stock moves, barcode, valuation |
| Projects Advanced | 8 | Sprints, Gantt, OKRs, client portals |
| Platform | 12 | Multi-company, AI insights, API, webhooks |
| Admin | 13 | Audit logs, SSO, custom fields, branding |
| Total | 92 |
The @RequireFeature Decorator
The @RequireFeature() decorator can be applied at the controller or route level:
// Gate an entire controller
@RequireFeature('hr')
@Controller('hr')
export class HrController { }
// Gate a specific route
@Controller('projects')
export class ProjectsController {
@RequireFeature('sprints')
@Post(':id/sprints')
createSprint() { }
}The decorator checks the active company’s subscription plan against the feature flag. This is enforced server-side — the frontend hides gated features from the UI, but the API is the source of truth.
Multi-Company Permissions
Users can have different roles in different companies. See Multi-Company for details on how company access is managed.
API Endpoints
| Method | Path | Description |
|---|---|---|
| GET | /members | List members in the current company |
| POST | /members/invite | Invite a new member |
| PATCH | /members/:id/role | Change a member’s role |
| DELETE | /members/:id | Remove a member |
| GET | /features | List feature flags and their status |