Users & Roles
StockFlow has a role-based access control (RBAC) system. Each user is assigned one or more roles, and each role defines exactly what they can see and do.
Built-in roles
| Role | Description |
|---|---|
| Owner | Full access to everything. Can delete the account. Only one owner per account. |
| Admin | Full access to everything except deleting the account or changing billing. |
| Manager | Full access to all modules but cannot manage users, billing, or dangerous settings. |
| Sales Rep | Can create and manage sales orders and view clients. Cannot view cost prices, reports, or settings. |
| Warehouse Staff | Can manage inventory (add, adjust, transfer). Cannot create sales orders or view clients. |
| Purchasing | Can manage purchase orders, receive stock, and view supplier records. Read-only on sales. |
| Accountant | Read-only access to all financial data — invoices, reports, payments. Cannot create or modify records. |
| Read Only | Can view everything but cannot create, edit, or delete anything. |
Permission matrix
| Permission | Owner | Admin | Manager | Sales Rep | Warehouse | Purchasing | Accountant | Read Only |
|---|---|---|---|---|---|---|---|---|
| View Goods List | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
| Edit Goods List | ✅ | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ |
| View cost prices | ✅ | ✅ | ✅ | ❌ | ❌ | ✅ | ✅ | ❌ |
| Create sales orders | ✅ | ✅ | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ |
| View all sales | ✅ | ✅ | ✅ | Own only | ❌ | ❌ | ✅ | ✅ |
| Add/adjust inventory | ✅ | ✅ | ✅ | ❌ | ✅ | ✅ | ❌ | ❌ |
| Create purchase orders | ✅ | ✅ | ✅ | ❌ | ❌ | ✅ | ❌ | ❌ |
| View all clients | ✅ | ✅ | ✅ | ✅ | ❌ | ❌ | ✅ | ✅ |
| Edit clients | ✅ | ✅ | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ |
| View reports | ✅ | ✅ | ✅ | ❌ | ❌ | ❌ | ✅ | ✅ |
| Manage settings | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ |
| Manage users | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ |
| Manage billing | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ |
Inviting a user
- Go to Settings → Users → + Invite User
- Enter their email address
- Select a role (or multiple roles — a user can have more than one)
- Optionally restrict them to specific warehouses — they can only see inventory and orders for those warehouses
- Click Send Invitation
The invited user receives an email with a setup link. The link expires after 72 hours. If they don’t use it, click Resend Invitation from the Users list.
Creating custom roles
If the built-in roles don’t match your needs, create a custom role:
- Go to Settings → Users → Roles → + New Role
- Enter a role name
- For each permission group, choose: Full access, Read only, or No access
- Click Save Role
Custom roles appear alongside built-in roles when inviting users.
Managing existing users
Changing a user’s role
- Go to Settings → Users
- Click the user’s name
- Change the Role dropdown
- Click Save
The change takes effect on their next page load.
Suspending a user
- Click the user’s name → Suspend
- The user is immediately logged out and cannot log in
- Their records (orders, notes, adjustments) are preserved
Suspended users count against your plan’s user limit. To free up the seat, deactivate them.
Deactivating a user
Deactivated users:
- Cannot log in
- Are removed from assignable dropdowns (but their historical records remain attributed to them)
- Do not count against your user limit
To deactivate: click the user → Deactivate.
Two-factor authentication (2FA)
For individual users
- Go to Profile → Security → Enable 2FA
- Scan the QR code with an authenticator app (Google Authenticator, Authy, 1Password)
- Enter the 6-digit code to confirm
- Save the backup codes somewhere safe
Enforcing 2FA for all users
Admins can make 2FA mandatory:
- Go to Settings → Security → Require 2FA
- Toggle ON
- Set a grace period (e.g. 7 days for existing users to enrol)
After the grace period, users without 2FA enabled are blocked until they complete enrolment.
Single Sign-On (SSO)
Enterprise plan only. Configure SSO via Settings → Security → SSO. Supported providers: Okta, Microsoft Entra ID (formerly Azure AD), Google Workspace, and any SAML 2.0-compatible IdP.
When SSO is enforced, local username/password login is disabled for all users.