<< Back to Blog
·6 min read

Flash Warehouse RBAC Guide: Setting Up Role-Based Permissions from Scratch

Flash Warehouse WMS ships with 55 granular permission codes and a full RBAC system. This tutorial walks through creating three practical roles (warehouse operator, cashier, manager) via both PC and CLI, demonstrating how to implement the principle of least privilege.

Flash Warehouse RBAC Guide: Setting Up Role-Based Permissions from Scratch

Why Role-Based Permissions Matter

Once a warehouse team grows beyond two people, access control stops being optional. A cashier should not be able to delete purchase orders. A warehouse operator does not need access to financial settings. Flash Warehouse WMS ships with a complete RBAC (Role-Based Access Control) system featuring 55 granular permission codes that span purchasing, sales, inventory, staffing, and system configuration.

This tutorial walks through configuring three real-world roles, from permission planning to staff assignment.

Flash Warehouse Permission Architecture

The permission model has three layers:

  • Permission Codes (Powers): The smallest unit of access. Each code maps to a specific operation in the format module_action, for example 入库_新增 (Inbound_Create), 入库_查询 (Inbound_Query), 入库_删除 (Inbound_Delete).
  • Roles: A named collection of permission codes. A role can contain any number of codes.
  • Staff: Each staff member can be bound to multiple roles. Their effective permissions are the union of all bound roles.

Permission Code Reference

ModuleCode CountOperations
Purchasing (inquiry, order, inbound, return, replacement)20Create, Delete, Modify, Query
Sales (quotation, order, outbound, return, replacement)20Create, Delete, Modify, Query
Other inbound/outbound8Create, Delete, Modify, Query
Warehouse and inventory3Warehouse management, Stocktake, Inventory view
System administration4Staff management, Settings, Partner management, POS retail

The Principle of Least Privilege

Before creating any role, establish a core rule: each role receives only the minimum permissions required for its job function. In practice:

  • View-only positions get Query permissions only -- no Create, Modify, or Delete
  • Operational positions get Query plus Create, with Modify granted cautiously
  • Delete permissions are strictly reserved for management-level roles

The three roles below demonstrate this principle.

Three Practical Role Configurations

Role 1: Warehouse Operator

Warehouse operators handle daily inbound and outbound operations. They need to view inventory and create stock documents but must not delete records or manage staff.

Permission codes (by ID):

  • Inbound: Create (5), Query (8), Modify (7)
  • Outbound: Create (29), Query (32), Modify (31)
  • Other Inbound: Create (44), Query (47)
  • Other Outbound: Create (48), Query (51)
  • Inventory View (43), Stocktake (42)

Total: 12 permission codes. No Delete permissions included.

Role 2: Cashier

The cashier only needs POS retail access and basic outbound visibility.

Permission codes (by ID):

  • POS Retail (55)
  • Outbound Query (32)
  • Inventory View (43)

Total: 3 permission codes -- the most minimal viable role.

Role 3: Manager

The manager requires full access across all modules, including delete operations and system administration.

Permission codes: All 55 codes.

PC Configuration Steps

Step 1: Navigate to Permission Management

In the PC client, open Permission Management from the left sidebar. This page displays all existing roles in a paginated table, with each role's permission codes shown as color-coded tags.

Step 2: Create a Role

Click Add Role in the upper right corner. In the dialog:

  1. Enter the role name (e.g., "Warehouse Operator")
  2. Use the Transfer widget to move permission codes from the "Unselected" panel to the "Selected" panel
  3. The Transfer widget supports keyword search for quick filtering
  4. Click Submit to save

Step 3: Bind a Role to Staff

Navigate to Staff Management. For each staff member, click the role binding icon. In the dialog:

  1. Select one or more roles from the dropdown
  2. Currently bound roles appear as closeable tags below
  3. Click the close button on a tag to unbind a role
  4. Confirm the binding

CLI Configuration

The fwh CLI provides a complete role management command set under fwh staff role.

View All Permission Codes

fwh staff powers

This outputs all 55 permission codes with their IDs -- the essential reference for role design.

Create Roles

Use fwh staff role create with a comma-separated list of permission code IDs:

# Warehouse Operator (12 permissions, no deletes)
fwh staff role create \
  --role-name "Warehouse Operator" \
  --powers "5,7,8,29,31,32,44,47,48,51,42,43"

# Cashier (3 permissions, POS only)
fwh staff role create \
  --role-name "Cashier" \
  --powers "55,32,43"

List and Search Roles

# List all roles
fwh staff role list

# Search by name
fwh staff role search --role-name "Warehouse"

# Get total count
fwh staff role count

Bind and Unbind Roles

# Assign a role to a staff member
fwh staff role bind --staff-id 1001 --role-id 2

# Remove a role from a staff member
fwh staff role unbind --staff-id 1001 --role-id 2

# Check which roles a staff member has
fwh staff role get-for-staff --staff-id 1001

All write operations (create, delete, bind, unbind) trigger a confirmation prompt to prevent accidental changes.

MCP Server Integration

Flash Warehouse's MCP Server exposes role management as tool calls, accessible from Claude Code, Cursor, and Windsurf:

  • Read tools: role_list, role_search, role_count, role_get_for_staff, power_list
  • Write tools (requires write mode): role_create, role_delete, role_bind, role_unbind

Write tools follow Flash Warehouse's safety model: login-first authentication, tenant-locked data isolation, and explicit confirmation for destructive operations.

Best Practices

  1. Plan before you build: Run fwh staff powers or browse the PC Transfer widget to review all 55 codes before defining any role.
  2. Use clear naming: Format role names as "Position + Function", such as "Warehouse Operator", "Purchasing Lead", or "Finance Auditor".
  3. Audit regularly: Review role bindings monthly. Unbind roles promptly when staff transfer or leave.
  4. No shared accounts: Create individual staff accounts with appropriate roles rather than sharing a single admin login.
  5. Isolate delete permissions: The system has 10 delete-type permission codes. Concentrate these in a small number of management roles to prevent accidental data loss.

Summary

Flash Warehouse WMS provides enterprise-grade access control through 55 permission codes, flexible role composition, and multi-role binding per staff member. Whether you prefer the PC client's visual Transfer widget or the CLI's command-line precision, the workflow is straightforward: enumerate the permissions each position needs, package them into a named role, and bind that role to the right staff members. The guiding principle throughout is least privilege -- every person gets exactly the access they need and nothing more.

<< Previous

Flash Warehouse BI Dashboard: Data-Driven Monthly Business Analysis

Next>>

Flash Warehouse MCP Server Goes Live: The First Chinese WMS to Support Model Context Protocol

// RELATED POSTS

From 300 Monthly Mistakes to Zero Errors: A Small Warehouse's Digital Turnaround

6/4/2026

Building a Full-Stack SaaS Solo: Maintaining 5 Codebases as a One-Person Team

Building a Full-Stack SaaS Solo: Maintaining 5 Codebases as a One-Person Team

6/4/2026

Flash Warehouse Goes Global: Implementing Chinese, English, and Russian i18n

Flash Warehouse Goes Global: Implementing Chinese, English, and Russian i18n

6/4/2026