Pistonlog ships with four actor types — Owner, Manager, Reception and Technician — and 46 permission keys grouped by feature. This page is the source-of-truth reference: use it when designing a custom role or auditing what someone in your team can see.

The four actors

Actor	How it's set
Owner	The user who created the company. One per company. Bypasses every permission check via a `*` wildcard.
Manager	Default seeded role with every permission. Effectively the same as Owner for day-to-day work, but Owner-only things like billing stay locked.
Reception	Default seeded role for front-of-house: bookings, customers, payments, communication.
Technician	Default seeded role for the workshop floor: jobcards, inspections, parts.

You can also create your own custom roles per garage in Team Management and toggle permissions individually.

The 46 permission keys

Keys follow the {group}.{action} pattern.

Jobcards & workflow

Key	What it controls
`jobcards.view`	See the jobcard list and detail pages
`jobcards.create`	Start a new jobcard
`jobcards.edit`	Edit any field on a jobcard, including jobs/parts/labour
`jobcards.delete`	Delete a jobcard
`workflow.view`	See the kanban / workflow board
`workflow.edit`	Drag cards between columns
`activity.view`	See the activity log on a jobcard

Customers, vehicles, businesses

Key	What it controls
`customers.view`	See customer records
`customers.create`	Add a new customer
`customers.edit`	Edit a customer record
`customers.delete`	Delete a customer
`businesses.view/create/edit/delete`	Same four actions for business accounts (fleets)
`vehicles.view/create/edit/delete`	Same four actions for vehicles

Inspections

Key	What it controls
`inspections.view`	See inspection submissions on a jobcard
`inspections.create`	Start a new inspection from a template
`inspections.edit`	Fill in / update an in-progress inspection
`inspections.delete`	Delete a submission

Appointments & messages

Key	What it controls
`appointments.view/create/edit/delete`	Bookings on the calendar
`messages.view`	See the jobcard's internal team thread
`messages.create`	Post on jobcard threads
`messages.direct`	Start a one-to-one team DM

Money

Key	What it controls
`payments.view`	See totals, VAT breakdown, rates, prices on jobcards and invoices
`payments.edit`	Issue invoices, record payments
`parts.view_cost`	See the unit cost column (what the garage paid for the part)

payments.view is enforced server-side

Users without payments.view get a stripped jobcard payload from the API — financial fields are removed before the data leaves the server. That means a future mobile or third-party integration can't bypass the check by inspecting the JSON. Owners bypass the strip.

Parts & suppliers

Key	What it controls
`parts.manage`	Add, edit and reorder parts on a jobcard
`suppliers.view`	See the suppliers list
`suppliers.manage`	Add / edit / delete suppliers
`returns.manage`	Process part returns

Team, roles & garage admin

Key	What it controls
`team.view`	See the team list
`team.edit`	Invite, remove or reassign team members
`roles.view/create/edit/delete`	Manage custom roles
`settings.view`	Open Settings
`settings.edit`	Change garage configuration
`garages.view`	See the list of garages this user belongs to

Default assignments

Default role assignments are seeded from src/db/seed-permissions.ts in the codebase. Custom roles you create override these defaults.

Permission group	Owner	Manager	Reception	Technician
Jobcards (full)	yes	yes	view/create/edit	view/edit
Workflow	yes	yes	yes	yes
Customers	yes	yes	view/create/edit	view only
Vehicles	yes	yes	view/create/edit	view only
Businesses	yes	yes	view/create/edit	—
Appointments	yes	yes	yes	—
Inspections	yes	yes	view/create	view/create/edit
Messages (view/create)	yes	yes	yes	yes
Messages (direct)	yes	yes	yes	—
Payments	yes	yes	yes	—
Parts (manage)	yes	yes	yes	yes
Parts (view_cost)	yes	yes	—	—
Suppliers (view)	yes	yes	yes	—
Returns (manage)	yes	yes	yes	—
Team (view)	yes	yes	yes	yes
Team (edit)	yes	yes	—	—
Settings	yes	yes	—	—
Activity	yes	yes	yes	—

Permissions reference