Users, Roles & Permissions controls who can log into Bizuno and what they can do once they’re in. Get roles right early — they’re the foundation for honest audit trails, separation of duties, and not giving the new hire accidental access to the checkbook.

How to get there #

Menu: Admin → Users  |  Admin → Roles
Direct URL patterns:
https://yourdomain.com/?bizRt=bizuno/admin/users
https://yourdomain.com/?bizRt=bizuno/admin/roles

How the model works #

• A User is a login — one per person.
• Each user is assigned one Role (occasionally two, if the system allows layering).
• The role defines a bundle of Permissions, broken down by module and action (view / add / edit / delete).
• Some shops also use Groups (departments) for reporting and optional permission layering.

Default roles that ship with Bizuno #

Role	Typical access
Administrator	Everything, including Admin screens and deletions.
Manager	Most modules, no Admin. Can close periods, approve CAPAs.
Bookkeeper	Banking, GL, A/R, A/P, Reports. No inventory edits.
Sales	Customers, Quotes, Orders, Invoices. No cost visibility.
Service Advisor	Customers, Service intake, Invoices. No vendor data.
Mechanic	Service work orders, inventory lookups. No financials.
View-Only / Auditor	Read-only across everything.

Customize these to match your shop; don’t feel obliged to use them as-is.

Creating a user #

1. Admin → Users → New User.
2. Enter:
   • Username (typically the person’s email or first.last).
   • Full Name.
   • Email.
   • Role.
   • Temporary Password — Bizuno emails an invitation; user sets their own password on first login.
   • Active: on.
3. Save. The user receives a welcome email with login link.

Creating / editing a role #

1. Admin → Roles → New Role (or copy an existing one).
2. Name the role (“Service Advisor”, “Bookkeeper”).
3. Check the permissions tree — each module has view / add / edit / delete checkboxes at the screen level.
4. Save.
5. Assign the role to users on the Users screen.

Principle of least privilege #

The single biggest favor you can do future-you: give each user the smallest set of permissions they need to do their job. A sales associate doesn’t need to edit inventory costs. A mechanic doesn’t need to see the P&L. Expand when there’s a clear need; don’t start wide and trim later.Important: Permissions around Delete, Void, Post Journal Entry, and Close Period should be restricted to one or two people. The ability to delete or alter posted transactions is how small-shop fraud happens. Make these admin-only or manager-only and require a second pair of eyes on material adjustments.

Separation of duties #

In a shop of one or two, you can’t fully separate duties — but aim for these splits where possible:

• Whoever writes checks shouldn’t also reconcile the bank.
• Whoever enters bills shouldn’t also approve payment runs.
• Whoever takes cash at the register shouldn’t also deposit.
• Admin access should be separate from daily operational access for the same person where possible (use two accounts: your daily “Manager” account and a separate “Admin” account used only when you need admin).

Password policy #

Under Admin → Settings → Security:

• Minimum length — 12+ recommended.
• Complexity — letters, numbers, symbols.
• Expiration — 90 days is common; many security experts recommend no expiration combined with mandatory 2FA.
• Lockout — after N failed attempts.
• Password history — prevent reuse of last N passwords.

Two-factor authentication #

Turn on 2FA at the role level (required for Admin and Bookkeeper, at minimum). Supported methods vary by Bizuno release — typically TOTP (Google Authenticator, Authy) and/or email-code.

Sessions & audit #

• Session timeout — auto-logout after N minutes of inactivity. 30–60 minutes for a shop environment is reasonable.
• Active sessions visible on the user record; admins can force-logout a user.
• Audit log records login success/failure, permission changes, and admin-significant edits by user.

When someone leaves #

1. Immediately disable (not delete) the user account. Disabling preserves the audit trail; deleting orphans it.
2. Change any shared passwords the person knew (payment gateway, hosting).
3. Revoke 2FA tokens / recovery codes.
4. Reassign in-progress records (open quotes with them as salesperson, open CAPAs, etc.).
5. Remove any email forwarding rules they set up.
6. Log the off-boarding in the audit log with a note.

Tips for Ridgeline Cycles #

• One login per person. Even the owner’s spouse helping on Saturdays should have their own account, not a shared one.
• Name roles after actual jobs at your shop, not abstract ERP concepts. “Service Advisor” beats “Tier 2 Clerk.”
• Run a user review quarterly — delete disabled accounts older than 12 months, confirm current users still need the access they have.
• Enable 2FA for your own admin account today. It’s a 90-second setup and eliminates the #1 security risk.

Where to go next #

• Modules & Extensions — only modules that are enabled appear in the permissions tree.
• Admin Dashboard → Audit Log — review user actions.
• Admin → Settings → Security — password policy and 2FA enforcement.