Permission Policies

Restrict what data assigned users can read and modify through Operator

Permission Policies let instance admins define exactly which parts of the ERP.net data model an Operator user is allowed to access — on top of ERP.net's own security. They are managed per ERP.net instance from Manage Instance Users → Policies.

Why Use Permission Policies?

ERP.net's built-in roles control access at the database level, but they apply uniformly to everyone using a given login. Operator policies let you:

Policies are enforced on top of ERP.net's own security. ERP.net checks always run; the policy simply adds a second filter that blocks access to anything outside the granted scopes.

Who Can Manage Policies?

Only Instance Admins (instance role 40) can create, edit, delete, and assign Permission Policies. Other users see the assigned policy on their own account in read-only form.

Accessing the Policies Page

  1. Open the user menu and choose Manage Instance Users.
  2. Switch to the Policies tab.

You will see the list of policies defined for the current ERP.net instance, plus how many users each policy is assigned to.

Creating or Editing a Policy

Click New Policy (or the pencil icon on an existing policy). Each policy has:

Field Description
Name Short label shown when assigning the policy to users (e.g. Sales Reps, Read-only Finance).
Description Optional notes for other admins explaining the intent.
Allow off-topic conversations Master switch that controls Topic Guard for assigned users — see below.
Scope tree Visual tree of all ERP.net namespaces and entities the policy grants access to.

Working with the Scope Tree

The scope tree is the heart of a policy. It mirrors the ERP.net data model — namespaces (e.g. Crm, Logistics, Finance) at the top, with sub-namespaces and individual entities underneath.

When you save, Operator collapses your selection to the smallest equivalent set of scope entries. For example, if you tick every entity inside Crm, the saved policy stores a single Crm.* entry instead of dozens of individual ones. Re-opening the policy expands them back into the tree.

Allow off-topic conversations

The Allow off-topic conversations switch controls whether assigned users can chat with the AI about non-work themes (the weather, general knowledge questions, casual conversation, etc.).

This is the right setting for client-facing or shared-account scenarios where you want to keep AI usage strictly on-topic.

Assigning a Policy to a User

  1. Go to the Users tab in Manage Instance Users.
  2. Locate the user and use the Policy dropdown in their row.
  3. Pick a policy or choose No policy to remove the restriction.

A user without a policy keeps unrestricted Operator-side access — ERP.net's own security still applies.

Policy assignment changes are recorded in the instance Audit Log, so you can always trace who changed what and when.

How Enforcement Works

Whenever an assigned user runs a tool that reads or writes ERP.net data, Operator:

  1. Determines the entity being accessed (e.g. Crm.Customers).
  2. Looks up the user's policy and checks whether the entity is covered.
  3. For writes, also confirms the policy grants Update on that scope.
  4. Blocks the call with a clear message if the entity is outside the allowed scopes.

Read-only policies still let users see business data the AI returns — they just can't trigger create/update/delete operations through the AI. To restrict reads, simply leave the relevant branches unticked.

The AI is also informed about restrictions at discovery time — when it looks up an entity (for example to plan a query), the response already tells it whether the user has full, read-only, or no access. This way the AI can warn the user proactively instead of attempting a call that will be denied, and it knows not to keep retrying similar lookups.

Tips