System role catalog and permission grants. Read-only in v1 — roles and permissions are managed by platform migrations.
Platform-wide roles that apply across every tenant. Granted via the operator console.
adminFull operator access except user-management (team:*), tenant_settings:write, and integrations:write.
admin_users:deactivateDeactivate or reactivate a platform-global admin user across all of their tenant memberships and revoke their live sessions on deactivate. Operator-plane staff management at /operator/admins.analytics:cohort_createDefine a reusable customer cohort for segmented reporting.analytics:dashboard_readView the tenant analytics dashboard — funnel metrics, conversion rates, and KPI cards.analytics:portfolio_exportExport the operator-console cross-tenant portfolio analytics data as CSV (one file per KPI).analytics:portfolio_readView the operator-console cross-tenant portfolio analytics dashboard — portfolio GMV, MRR, AOV, refund rate, churn, top SKUs, and operational exceptions.analytics:report_exportExport a date-ranged analytics report as CSV.audit_log:exportBulk-export audit log to CSV. Compliance-sensitive; tenant_owner + operator admin/owner only.audit_log:readView the tenant's audit log entries.billing:credit_applyApply a platform-issued credit to a tenant's account. Operator-only.billing:invoice_readView and download historical invoices.billing:payment_method_writeAdd, replace, or remove a payment method on file.billing:plan_changeUpgrade or downgrade the tenant's Orchard plan via Stripe.billing:readView billing status, current plan, upcoming charges, and payment method.compliance:exportGenerate a CSV export of cross-tenant GDPR deletion requests for regulatory audit submission. Operator owner + admin only; route-level TOTP gate (WP-v2-30).compliance:readView the cross-tenant GDPR audit dashboard: deletion-request queue, SLA indicators, consent log. Operator owner + admin only (WP-v2-30).customers:exportBulk-export customer list to CSV. Compliance-sensitive; tenant_owner + operator admin/owner only.customers:impersonateBegin a customer-session impersonation as a tenant admin. Requires TOTP; non-dismissible banner; 1h auto-expiry.customers:readView individual customer profiles and order history.customers:writeEdit customer profile fields (contact info, notes, subscription status).dashboard:readView the tenant dashboard home / overview metrics.data_export:customer_self_request_readView and respond to customer data subject access requests (GDPR/CCPA). Enforced via customer JWT in the storefront, not platform.role_permissions.data_export:tenant_export_createGenerate a full or partial export of tenant data (orders, customers, products, audit).fulfillment_locations:readView warehouse and fulfillment location configuration. Support-readable for triage.fulfillment_locations:writeCreate, edit, or deactivate fulfillment locations. Admin and above.impersonation:audit_readView the history of impersonation sessions across all tenants.impersonation:endEnd an active impersonation session and return to the operator console.impersonation:startBegin impersonating a tenant admin. Requires TOTP per the 2026-05-07 explicit-only ADR.integrations:readView which integrations are configured (Stripe, Resend, Mailchimp, etc.) and their health status. Credential material is never returned.inventory:readView inventory levels per variant + restock history.inventory:writeAdjust inventory counts via the adjust_inventory stored procedure.leads:readView newsletter signups, waitlist entries, and other lead-gen captures.leads:writeEdit lead metadata, move between lists, or mark contacted.orders:cancelCancel an unfulfilled order; triggers Stripe refund when appropriate.orders:fulfillMark an order shipped: assign tracking number, push to fulfillment provider.orders:readView orders, order line items, and order notes.orders:refundIssue a full or partial refund through the tenant's Stripe account.orders:writeEdit shipping/billing address, add internal notes, adjust tax/discount at manager discretion.package_presets:readView package dimension presets used for shipping rate calculation. Support-readable for triage.package_presets:writeCreate, edit, or delete package dimension presets. Admin and above.partners:payoutsView partner payout records and initiate Stripe Connect transfers (or manual off-platform payouts) for accrued affiliate / wholesale commission. Destructive money movement — requires TOTP re-auth. Mirrors practitioners:payouts.practitioners:approveApprove or reject inbound practitioner-program inquiries and flip practitioner status (pending to active). Split from practitioners:write.practitioners:deletePermanently delete a practitioner record. On the destructive-action list per CLAUDE.md 2.2 — requires fresh password re-auth at call time.practitioners:payoutsView practitioner payout records and initiate Stripe transfers for accrued commission. Destructive money movement — requires TOTP re-auth.practitioners:readList and view practitioner records and inbound practitioner-program inquiries. Read-only — does not create, approve, suspend, pay out, or delete.practitioners:writeCreate practitioner records, edit profile fields, suspend, and issue referral codes. Does NOT approve pending inquiries or delete records.products:archiveSoft-delete a product — hidden from storefront, recoverable. No TOTP required.products:deleteHard-delete a product. Soft-delete (archive) is products:write. Rarely granted; typically tenant_owner only.products:publishToggle a product between draft and published visibility on the storefront.products:readView product catalog and individual product detail pages.products:writeCreate, edit, or archive products (title, copy, pricing, variants).promos:readView active and expired promo codes.promos:writeCreate, edit, archive, or deactivate promo codes.referral:readRead referral codes and referral conversions for the tenant. Backs the admin /admin/referrals panel.referral:writeCreate and deactivate referral codes and mark referral conversions as rewarded. Non-destructive growth-admin actions.returns:processIssue a Stripe refund (or store credit) against a received return. Destructive money-movement — requires TOTP re-auth within 5 min.returns:readView return requests and their status in the admin returns panel. Read-only — does not approve, deny, or process refunds.returns:writeApprove a return request (kicks off shipping-label leg), deny with reason, or mark as physically received. Does NOT issue refund.reviews:publishApprove a pending review for public display on the storefront.reviews:readView customer product reviews (pending + published).reviews:writeReply to, edit, or flag reviews for moderation.roles:readView the role catalog: the system roles and the tenant-authored custom roles with their grant sets.roles:writeCreate, edit, and delete the tenant's custom roles from the tenant-visible grant matrix.subscription:cancelImmediately cancel a subscription (admin-only force-cancel; bypasses cancel_at_period_end). Distinct from subscription:write so destructive-class permission grants stay narrow per the Z-88 owner-resolution pattern.subscription:list_cross_tenantCross-tenant subscription list and drill-down in the operator console (Z-111). Uses orchard_operator role; bypasses RLS. Writes subscription.viewed_cross_tenant audit row on detail access.subscription:readRead subscription rows for the tenant. Backs the admin subscription list and per-customer subscription panels.subscription:writeModify subscription configuration (subscription_configs), apply discounts, override next billing date. Non-destructive lifecycle actions (pause, resume, cancel-at-period-end) also gate on this key.tenant_settings:readView tenant configuration (brand, domain, contact info, etc.).tenants:archiveArchive a tenant — storefront goes offline, billing continues. Requires TOTP re-auth.tenants:createProvision a new tenant (slug, owner email, plan).tenants:listView the cross-tenant tenant list with status, plan, and creation date.tenants:readView a tenant's full profile, settings, and lifecycle state.tenants:settings_writeEdit platform-level tenant settings (plan, entitlements, domain assignments).webhook:readView webhook endpoints and delivery history for the current tenant (WP-v2-18).wholesale:assignAssign or remove a customer's wholesale tier from the customer-detail page. Split from wholesale:write so support staff can re-tag customers without being able to mutate the catalog.wholesale:readList wholesale tier definitions and inspect per-customer tier assignments. Required for the /admin/wholesale/tiers page and the customer-detail wholesale panel.wholesale:writeCreate, edit, or delete wholesale tier definitions. Tier delete blocks when any customer is still assigned to the tier.ownerOrchard platform super-admin. Bypasses every permission check. Intended for the Orchard team lead(s).
admin_users:deactivateDeactivate or reactivate a platform-global admin user across all of their tenant memberships and revoke their live sessions on deactivate. Operator-plane staff management at /operator/admins.analytics:cohort_createDefine a reusable customer cohort for segmented reporting.analytics:dashboard_readView the tenant analytics dashboard — funnel metrics, conversion rates, and KPI cards.analytics:portfolio_exportExport the operator-console cross-tenant portfolio analytics data as CSV (one file per KPI).analytics:portfolio_readView the operator-console cross-tenant portfolio analytics dashboard — portfolio GMV, MRR, AOV, refund rate, churn, top SKUs, and operational exceptions.analytics:report_exportsupportRead-only on every resource with the exception of orders:write for auditable support-fixes. No exports, no destructive actions.
analytics:dashboard_readView the tenant analytics dashboard — funnel metrics, conversion rates, and KPI cards.analytics:portfolio_readView the operator-console cross-tenant portfolio analytics dashboard — portfolio GMV, MRR, AOV, refund rate, churn, top SKUs, and operational exceptions.audit_log:readView the tenant's audit log entries.billing:invoice_readView and download historical invoices.billing:readView billing status, current plan, upcoming charges, and payment method.customers:readView individual customer profiles and order history.Per-tenant roles granted on the admin_user_tenants membership row. tenant_staff narrows further via the scopes[] array (marketing / operations).
tenant_adminDay-to-day store manager. Everything tenant_owner can do except team:*, tenant_settings:write, and integrations:write.
analytics:cohort_createDefine a reusable customer cohort for segmented reporting.analytics:dashboard_readView the tenant analytics dashboard — funnel metrics, conversion rates, and KPI cards.analytics:report_exportExport a date-ranged analytics report as CSV.audit_log:exportBulk-export audit log to CSV. Compliance-sensitive; tenant_owner + operator admin/owner only.audit_log:readView the tenant's audit log entries.Roles you create for this store, composed from the tenant-visible permissions. Assign them to team members from the Team page.
Create one above to tailor access for your team.
audit_log:exportBulk-export audit log to CSV. Compliance-sensitive; tenant_owner + operator admin/owner only.audit_log:readView the tenant's audit log entries.billing:credit_applyApply a platform-issued credit to a tenant's account. Operator-only.billing:invoice_readView and download historical invoices.billing:payment_method_writeAdd, replace, or remove a payment method on file.billing:plan_changeUpgrade or downgrade the tenant's Orchard plan via Stripe.billing:readView billing status, current plan, upcoming charges, and payment method.compliance:exportGenerate a CSV export of cross-tenant GDPR deletion requests for regulatory audit submission. Operator owner + admin only; route-level TOTP gate (WP-v2-30).compliance:readView the cross-tenant GDPR audit dashboard: deletion-request queue, SLA indicators, consent log. Operator owner + admin only (WP-v2-30).customers:exportBulk-export customer list to CSV. Compliance-sensitive; tenant_owner + operator admin/owner only.customers:gdpr_deletePermanently erase a customer record under GDPR/CCPA right-to-erasure. Irreversible; requires TOTP re-auth. Tenant-owner only.customers:impersonateBegin a customer-session impersonation as a tenant admin. Requires TOTP; non-dismissible banner; 1h auto-expiry.customers:readView individual customer profiles and order history.customers:writeEdit customer profile fields (contact info, notes, subscription status).dashboard:readView the tenant dashboard home / overview metrics.data_export:customer_self_request_readView and respond to customer data subject access requests (GDPR/CCPA). Enforced via customer JWT in the storefront, not platform.role_permissions.data_export:platform_export_createGenerate a cross-tenant platform export. Operator-only; requires TOTP per principle of least privilege.data_export:tenant_export_createGenerate a full or partial export of tenant data (orders, customers, products, audit).fulfillment_locations:readView warehouse and fulfillment location configuration. Support-readable for triage.fulfillment_locations:writeCreate, edit, or deactivate fulfillment locations. Admin and above.impersonation:audit_readView the history of impersonation sessions across all tenants.impersonation:endEnd an active impersonation session and return to the operator console.impersonation:escalateUpgrade an active read-only impersonation session to write access.impersonation:startBegin impersonating a tenant admin. Requires TOTP per the 2026-05-07 explicit-only ADR.integrations:readView which integrations are configured (Stripe, Resend, Mailchimp, etc.) and their health status. Credential material is never returned.integrations:writeConfigure or rotate integration credentials. Invokes the credential vault; requires re-auth per PLATFORM-SECURITY §2.1.inventory:readView inventory levels per variant + restock history.inventory:writeAdjust inventory counts via the adjust_inventory stored procedure.leads:readView newsletter signups, waitlist entries, and other lead-gen captures.leads:writeEdit lead metadata, move between lists, or mark contacted.orders:cancelCancel an unfulfilled order; triggers Stripe refund when appropriate.orders:fulfillMark an order shipped: assign tracking number, push to fulfillment provider.orders:readView orders, order line items, and order notes.orders:refundIssue a full or partial refund through the tenant's Stripe account.orders:writeEdit shipping/billing address, add internal notes, adjust tax/discount at manager discretion.package_presets:readView package dimension presets used for shipping rate calculation. Support-readable for triage.package_presets:writeCreate, edit, or delete package dimension presets. Admin and above.partners:payoutsView partner payout records and initiate Stripe Connect transfers (or manual off-platform payouts) for accrued affiliate / wholesale commission. Destructive money movement — requires TOTP re-auth. Mirrors practitioners:payouts.platform_settings:readRead operator-level platform config: plan entitlement matrix, tenant-specific entitlement overrides, resolved per-tenant entitlement map.platform_settings:writeMutate operator-level platform config: create, update, and remove per-tenant entitlement overrides (grant / revoke / adjust_limit).practitioners:approveApprove or reject inbound practitioner-program inquiries and flip practitioner status (pending to active). Split from practitioners:write.practitioners:deletePermanently delete a practitioner record. On the destructive-action list per CLAUDE.md 2.2 — requires fresh password re-auth at call time.practitioners:payoutsView practitioner payout records and initiate Stripe transfers for accrued commission. Destructive money movement — requires TOTP re-auth.practitioners:readList and view practitioner records and inbound practitioner-program inquiries. Read-only — does not create, approve, suspend, pay out, or delete.practitioners:writeCreate practitioner records, edit profile fields, suspend, and issue referral codes. Does NOT approve pending inquiries or delete records.products:archiveSoft-delete a product — hidden from storefront, recoverable. No TOTP required.products:deleteHard-delete a product. Soft-delete (archive) is products:write. Rarely granted; typically tenant_owner only.products:publishToggle a product between draft and published visibility on the storefront.products:readView product catalog and individual product detail pages.products:writeCreate, edit, or archive products (title, copy, pricing, variants).promos:readView active and expired promo codes.promos:writeCreate, edit, archive, or deactivate promo codes.push:composeCompose and send Web Push notifications to one customer or every subscribed customer of the current tenant (WP-v2-32 T4 / Z-370). High-impact: every successful send writes a warning-tier audit row.quizzes:writeManage tenant quiz definitions and published versionsreferral:readRead referral codes and referral conversions for the tenant. Backs the admin /admin/referrals panel.referral:writeCreate and deactivate referral codes and mark referral conversions as rewarded. Non-destructive growth-admin actions.returns:processIssue a Stripe refund (or store credit) against a received return. Destructive money-movement — requires TOTP re-auth within 5 min.returns:readView return requests and their status in the admin returns panel. Read-only — does not approve, deny, or process refunds.returns:writeApprove a return request (kicks off shipping-label leg), deny with reason, or mark as physically received. Does NOT issue refund.reviews:publishApprove a pending review for public display on the storefront.reviews:readView customer product reviews (pending + published).reviews:writeReply to, edit, or flag reviews for moderation.roles:readView the role catalog: the system roles and the tenant-authored custom roles with their grant sets.roles:writeCreate, edit, and delete the tenant's custom roles from the tenant-visible grant matrix.storefront_pages:writeManage per-tenant storefront page enablement, slugs, SEO, and navigation order.subscription:cancelImmediately cancel a subscription (admin-only force-cancel; bypasses cancel_at_period_end). Distinct from subscription:write so destructive-class permission grants stay narrow per the Z-88 owner-resolution pattern.subscription:list_cross_tenantCross-tenant subscription list and drill-down in the operator console (Z-111). Uses orchard_operator role; bypasses RLS. Writes subscription.viewed_cross_tenant audit row on detail access.subscription:readRead subscription rows for the tenant. Backs the admin subscription list and per-customer subscription panels.subscription:writeModify subscription configuration (subscription_configs), apply discounts, override next billing date. Non-destructive lifecycle actions (pause, resume, cancel-at-period-end) also gate on this key.team:inviteInvite a new admin to the tenant (creates pending admin_user_tenants row).team:readView the list of admin users with access to the tenant.team:revokeRemove an admin's access to the tenant (deletes admin_user_tenants row).tenant_settings:readView tenant configuration (brand, domain, contact info, etc.).tenant_settings:writeModify tenant configuration. Tenant-owner only in v1; operator admin cannot.tenants:archiveArchive a tenant — storefront goes offline, billing continues. Requires TOTP re-auth.tenants:createProvision a new tenant (slug, owner email, plan).tenants:hard_deletePermanently delete a tenant and all its data. Irreversible. Requires TOTP re-auth.tenants:listView the cross-tenant tenant list with status, plan, and creation date.tenants:readView a tenant's full profile, settings, and lifecycle state.tenants:settings_writeEdit platform-level tenant settings (plan, entitlements, domain assignments).webhook:readView webhook endpoints and delivery history for the current tenant (WP-v2-18).webhook:writeCreate, edit, disable, and regenerate the signing secret for webhook endpoints (WP-v2-18). Includes test-delivery + manual-retry.wholesale:assignAssign or remove a customer's wholesale tier from the customer-detail page. Split from wholesale:write so support staff can re-tag customers without being able to mutate the catalog.wholesale:readList wholesale tier definitions and inspect per-customer tier assignments. Required for the /admin/wholesale/tiers page and the customer-detail wholesale panel.wholesale:writeCreate, edit, or delete wholesale tier definitions. Tier delete blocks when any customer is still assigned to the tier.dashboard:readView the tenant dashboard home / overview metrics.data_export:customer_self_request_readView and respond to customer data subject access requests (GDPR/CCPA). Enforced via customer JWT in the storefront, not platform.role_permissions.fulfillment_locations:readView warehouse and fulfillment location configuration. Support-readable for triage.impersonation:audit_readView the history of impersonation sessions across all tenants.impersonation:endEnd an active impersonation session and return to the operator console.integrations:readView which integrations are configured (Stripe, Resend, Mailchimp, etc.) and their health status. Credential material is never returned.inventory:readView inventory levels per variant + restock history.leads:readView newsletter signups, waitlist entries, and other lead-gen captures.orders:readView orders, order line items, and order notes.orders:writeEdit shipping/billing address, add internal notes, adjust tax/discount at manager discretion.package_presets:readView package dimension presets used for shipping rate calculation. Support-readable for triage.practitioners:readList and view practitioner records and inbound practitioner-program inquiries. Read-only — does not create, approve, suspend, pay out, or delete.products:readView product catalog and individual product detail pages.promos:readView active and expired promo codes.referral:readRead referral codes and referral conversions for the tenant. Backs the admin /admin/referrals panel.returns:readView return requests and their status in the admin returns panel. Read-only — does not approve, deny, or process refunds.reviews:readView customer product reviews (pending + published).roles:readView the role catalog: the system roles and the tenant-authored custom roles with their grant sets.subscription:readRead subscription rows for the tenant. Backs the admin subscription list and per-customer subscription panels.team:readView the list of admin users with access to the tenant.tenant_settings:readView tenant configuration (brand, domain, contact info, etc.).tenants:listView the cross-tenant tenant list with status, plan, and creation date.tenants:readView a tenant's full profile, settings, and lifecycle state.wholesale:readList wholesale tier definitions and inspect per-customer tier assignments. Required for the /admin/wholesale/tiers page and the customer-detail wholesale panel.billing:invoice_readView and download historical invoices.billing:readView billing status, current plan, upcoming charges, and payment method.customers:exportBulk-export customer list to CSV. Compliance-sensitive; tenant_owner + operator admin/owner only.customers:impersonateBegin a customer-session impersonation as a tenant admin. Requires TOTP; non-dismissible banner; 1h auto-expiry.customers:readView individual customer profiles and order history.customers:writeEdit customer profile fields (contact info, notes, subscription status).dashboard:manage_templatesCreate and edit role-default dashboard templates that seed every operator in a role.dashboard:query_advancedUse advanced / custom-query dashboard widgets (Tier 3 power-user widgets).dashboard:readView the tenant dashboard home / overview metrics.dashboard:shareShare a dashboard with other operators in the store (view or edit) and manage who it is shared with.data_export:customer_self_request_readView and respond to customer data subject access requests (GDPR/CCPA). Enforced via customer JWT in the storefront, not platform.role_permissions.fulfillment_locations:readView warehouse and fulfillment location configuration. Support-readable for triage.fulfillment_locations:writeCreate, edit, or deactivate fulfillment locations. Admin and above.integrations:readView which integrations are configured (Stripe, Resend, Mailchimp, etc.) and their health status. Credential material is never returned.inventory:readView inventory levels per variant + restock history.inventory:writeAdjust inventory counts via the adjust_inventory stored procedure.leads:readView newsletter signups, waitlist entries, and other lead-gen captures.leads:writeEdit lead metadata, move between lists, or mark contacted.orders:cancelCancel an unfulfilled order; triggers Stripe refund when appropriate.orders:fulfillMark an order shipped: assign tracking number, push to fulfillment provider.orders:readView orders, order line items, and order notes.orders:refundIssue a full or partial refund through the tenant's Stripe account.orders:writeEdit shipping/billing address, add internal notes, adjust tax/discount at manager discretion.package_presets:readView package dimension presets used for shipping rate calculation. Support-readable for triage.package_presets:writeCreate, edit, or delete package dimension presets. Admin and above.partners:payoutsView partner payout records and initiate Stripe Connect transfers (or manual off-platform payouts) for accrued affiliate / wholesale commission. Destructive money movement — requires TOTP re-auth. Mirrors practitioners:payouts.practitioners:approveApprove or reject inbound practitioner-program inquiries and flip practitioner status (pending to active). Split from practitioners:write.practitioners:deletePermanently delete a practitioner record. On the destructive-action list per CLAUDE.md 2.2 — requires fresh password re-auth at call time.practitioners:payoutsView practitioner payout records and initiate Stripe transfers for accrued commission. Destructive money movement — requires TOTP re-auth.practitioners:readList and view practitioner records and inbound practitioner-program inquiries. Read-only — does not create, approve, suspend, pay out, or delete.practitioners:writeCreate practitioner records, edit profile fields, suspend, and issue referral codes. Does NOT approve pending inquiries or delete records.products:archiveSoft-delete a product — hidden from storefront, recoverable. No TOTP required.products:deleteHard-delete a product. Soft-delete (archive) is products:write. Rarely granted; typically tenant_owner only.products:publishToggle a product between draft and published visibility on the storefront.products:readView product catalog and individual product detail pages.products:writeCreate, edit, or archive products (title, copy, pricing, variants).promos:readView active and expired promo codes.promos:writeCreate, edit, archive, or deactivate promo codes.referral:readRead referral codes and referral conversions for the tenant. Backs the admin /admin/referrals panel.referral:writeCreate and deactivate referral codes and mark referral conversions as rewarded. Non-destructive growth-admin actions.returns:processIssue a Stripe refund (or store credit) against a received return. Destructive money-movement — requires TOTP re-auth within 5 min.returns:readView return requests and their status in the admin returns panel. Read-only — does not approve, deny, or process refunds.returns:writeApprove a return request (kicks off shipping-label leg), deny with reason, or mark as physically received. Does NOT issue refund.reviews:publishApprove a pending review for public display on the storefront.reviews:readView customer product reviews (pending + published).reviews:writeReply to, edit, or flag reviews for moderation.roles:readView the role catalog: the system roles and the tenant-authored custom roles with their grant sets.subscription:readRead subscription rows for the tenant. Backs the admin subscription list and per-customer subscription panels.subscription:writeModify subscription configuration (subscription_configs), apply discounts, override next billing date. Non-destructive lifecycle actions (pause, resume, cancel-at-period-end) also gate on this key.tenant_settings:readView tenant configuration (brand, domain, contact info, etc.).webhook:readView webhook endpoints and delivery history for the current tenant (WP-v2-18).webhook:writeCreate, edit, disable, and regenerate the signing secret for webhook endpoints (WP-v2-18). Includes test-delivery + manual-retry.wholesale:assignAssign or remove a customer's wholesale tier from the customer-detail page. Split from wholesale:write so support staff can re-tag customers without being able to mutate the catalog.wholesale:readList wholesale tier definitions and inspect per-customer tier assignments. Required for the /admin/wholesale/tiers page and the customer-detail wholesale panel.wholesale:writeCreate, edit, or delete wholesale tier definitions. Tier delete blocks when any customer is still assigned to the tier.tenant_ownerFull access within a tenant. Only tenant role that can manage integration credentials, invite/revoke team, or change tenant settings.
analytics:cohort_createDefine a reusable customer cohort for segmented reporting.analytics:dashboard_readView the tenant analytics dashboard — funnel metrics, conversion rates, and KPI cards.analytics:report_exportExport a date-ranged analytics report as CSV.audit_log:exportBulk-export audit log to CSV. Compliance-sensitive; tenant_owner + operator admin/owner only.audit_log:readView the tenant's audit log entries.billing:invoice_readView and download historical invoices.tenant_staffScoped staff role. Permission set narrowed by the scopes array on the membership row (marketing / operations / both).
Apply only when the membership row's scopes[] array contains the gate.
analytics:dashboard_readscope: operationsanalytics:dashboard_readscope: marketingaudit_log:readscope: operationscustomers:readscope: operationscustomers:writescope: operationsbilling:payment_method_writebilling:plan_changeUpgrade or downgrade the tenant's Orchard plan via Stripe.billing:readView billing status, current plan, upcoming charges, and payment method.customers:exportBulk-export customer list to CSV. Compliance-sensitive; tenant_owner + operator admin/owner only.customers:gdpr_deletePermanently erase a customer record under GDPR/CCPA right-to-erasure. Irreversible; requires TOTP re-auth. Tenant-owner only.customers:impersonateBegin a customer-session impersonation as a tenant admin. Requires TOTP; non-dismissible banner; 1h auto-expiry.customers:readView individual customer profiles and order history.customers:writeEdit customer profile fields (contact info, notes, subscription status).dashboard:manage_templatesCreate and edit role-default dashboard templates that seed every operator in a role.dashboard:query_advancedUse advanced / custom-query dashboard widgets (Tier 3 power-user widgets).dashboard:readView the tenant dashboard home / overview metrics.dashboard:shareShare a dashboard with other operators in the store (view or edit) and manage who it is shared with.data_export:customer_self_request_readView and respond to customer data subject access requests (GDPR/CCPA). Enforced via customer JWT in the storefront, not platform.role_permissions.data_export:tenant_export_createGenerate a full or partial export of tenant data (orders, customers, products, audit).fulfillment_locations:readView warehouse and fulfillment location configuration. Support-readable for triage.fulfillment_locations:writeCreate, edit, or deactivate fulfillment locations. Admin and above.integrations:readView which integrations are configured (Stripe, Resend, Mailchimp, etc.) and their health status. Credential material is never returned.integrations:writeConfigure or rotate integration credentials. Invokes the credential vault; requires re-auth per PLATFORM-SECURITY §2.1.inventory:readView inventory levels per variant + restock history.inventory:writeAdjust inventory counts via the adjust_inventory stored procedure.leads:readView newsletter signups, waitlist entries, and other lead-gen captures.leads:writeEdit lead metadata, move between lists, or mark contacted.orders:cancelCancel an unfulfilled order; triggers Stripe refund when appropriate.orders:fulfillMark an order shipped: assign tracking number, push to fulfillment provider.orders:readView orders, order line items, and order notes.orders:refundIssue a full or partial refund through the tenant's Stripe account.orders:writeEdit shipping/billing address, add internal notes, adjust tax/discount at manager discretion.package_presets:readView package dimension presets used for shipping rate calculation. Support-readable for triage.package_presets:writeCreate, edit, or delete package dimension presets. Admin and above.partners:payoutsView partner payout records and initiate Stripe Connect transfers (or manual off-platform payouts) for accrued affiliate / wholesale commission. Destructive money movement — requires TOTP re-auth. Mirrors practitioners:payouts.practitioners:approveApprove or reject inbound practitioner-program inquiries and flip practitioner status (pending to active). Split from practitioners:write.practitioners:deletePermanently delete a practitioner record. On the destructive-action list per CLAUDE.md 2.2 — requires fresh password re-auth at call time.practitioners:payoutsView practitioner payout records and initiate Stripe transfers for accrued commission. Destructive money movement — requires TOTP re-auth.practitioners:readList and view practitioner records and inbound practitioner-program inquiries. Read-only — does not create, approve, suspend, pay out, or delete.practitioners:writeCreate practitioner records, edit profile fields, suspend, and issue referral codes. Does NOT approve pending inquiries or delete records.products:archiveSoft-delete a product — hidden from storefront, recoverable. No TOTP required.products:deleteHard-delete a product. Soft-delete (archive) is products:write. Rarely granted; typically tenant_owner only.products:publishToggle a product between draft and published visibility on the storefront.products:readView product catalog and individual product detail pages.products:writeCreate, edit, or archive products (title, copy, pricing, variants).promos:readView active and expired promo codes.promos:writeCreate, edit, archive, or deactivate promo codes.push:composeCompose and send Web Push notifications to one customer or every subscribed customer of the current tenant (WP-v2-32 T4 / Z-370). High-impact: every successful send writes a warning-tier audit row.quizzes:writeManage tenant quiz definitions and published versionsreferral:readRead referral codes and referral conversions for the tenant. Backs the admin /admin/referrals panel.referral:writeCreate and deactivate referral codes and mark referral conversions as rewarded. Non-destructive growth-admin actions.returns:processIssue a Stripe refund (or store credit) against a received return. Destructive money-movement — requires TOTP re-auth within 5 min.returns:readView return requests and their status in the admin returns panel. Read-only — does not approve, deny, or process refunds.returns:writeApprove a return request (kicks off shipping-label leg), deny with reason, or mark as physically received. Does NOT issue refund.reviews:publishApprove a pending review for public display on the storefront.reviews:readView customer product reviews (pending + published).reviews:writeReply to, edit, or flag reviews for moderation.roles:readView the role catalog: the system roles and the tenant-authored custom roles with their grant sets.roles:writeCreate, edit, and delete the tenant's custom roles from the tenant-visible grant matrix.storefront_pages:writeManage per-tenant storefront page enablement, slugs, SEO, and navigation order.subscription:cancelImmediately cancel a subscription (admin-only force-cancel; bypasses cancel_at_period_end). Distinct from subscription:write so destructive-class permission grants stay narrow per the Z-88 owner-resolution pattern.subscription:readRead subscription rows for the tenant. Backs the admin subscription list and per-customer subscription panels.subscription:writeModify subscription configuration (subscription_configs), apply discounts, override next billing date. Non-destructive lifecycle actions (pause, resume, cancel-at-period-end) also gate on this key.team:inviteInvite a new admin to the tenant (creates pending admin_user_tenants row).team:readView the list of admin users with access to the tenant.team:revokeRemove an admin's access to the tenant (deletes admin_user_tenants row).tenant_settings:readView tenant configuration (brand, domain, contact info, etc.).tenant_settings:writeModify tenant configuration. Tenant-owner only in v1; operator admin cannot.webhook:readView webhook endpoints and delivery history for the current tenant (WP-v2-18).webhook:writeCreate, edit, disable, and regenerate the signing secret for webhook endpoints (WP-v2-18). Includes test-delivery + manual-retry.wholesale:assignAssign or remove a customer's wholesale tier from the customer-detail page. Split from wholesale:write so support staff can re-tag customers without being able to mutate the catalog.wholesale:readList wholesale tier definitions and inspect per-customer tier assignments. Required for the /admin/wholesale/tiers page and the customer-detail wholesale panel.wholesale:writeCreate, edit, or delete wholesale tier definitions. Tier delete blocks when any customer is still assigned to the tier.dashboard:readscope: operationsdashboard:readscope: marketingintegrations:readscope: operationsinventory:readscope: operationsinventory:writescope: operationsleads:readscope: marketingleads:writescope: marketingorders:cancelscope: operationsorders:fulfillscope: operationsorders:readscope: operationsorders:refundscope: operationsorders:writescope: operationsproducts:publishscope: marketingproducts:readscope: marketingproducts:writescope: marketingpromos:readscope: marketingpromos:writescope: marketingreviews:publishscope: marketingreviews:readscope: marketingreviews:writescope: marketingtenant_settings:readscope: operationstenant_settings:readscope: marketing