Roles & permissions
Understand the platform roles, what each can do, and how to manage custom roles and per-user permissions.
OmniValVMS uses role-based access control (RBAC). Every user has a role that determines what they can see and do, scoped to your client account and their assigned branches.
The core roles
| Role | Portal | What they do |
|---|---|---|
| Admin | Admin | Full access: user management, configuration, reports |
| Operations | Admin | Order management, vendor assignment, QC, support |
| Client User | Client | View orders, request appraisals, download reports |
| Finance | Admin | Payment processing, invoice review |
| QC Reviewer | Admin | Review appraisals, request revisions, approve/reject |
| Vendor | Vendor | Accept orders, upload reports, manage invoices |
A role grants capabilities, but data is still scoped: users only see the branches and sub-groups they're assigned to, and never another client's data. Authorization is enforced on every request — see Authentication & access.
Custom roles
Beyond the built-in roles, you can define custom roles for your client account and tune their permissions.
| Action | Endpoint |
|---|---|
| List roles | |
| Create a role | |
| Validate a role name | |
| Update a role | |
| Delete a role |
Managing permissions
Permissions can be assigned at the role level (everyone with the role) or overridden for an individual user.
Role-level permissions
| Action | Endpoint |
|---|---|
| List all available permissions | |
| Add a permission to a role | |
| Remove a permission from a role | |
| Reset a role's permissions |
Per-user overrides
| Action | Endpoint |
|---|---|
| Get a user's effective permissions | |
| Override a single user's permission | |
| Reset a user back to role defaults |
Grant the narrowest set of permissions that lets someone do their job. Financial actions (payments, invoices) and destructive actions (cancel, delete) should be limited to the roles that truly need them. Every privileged action is recorded in the audit trail.