Staff permissions explained
How permissions decide what each team member can do, and why some come as a set.
When you invite a staff member you pick exactly what they can access. This is the model behind those choices.
Permissions are granular
Each permission unlocks one area, for example viewing orders, advancing order status, managing the menu, managing tables, viewing reporting, or managing webhooks. You grant only the ones a person needs, and you can change them any time. Venue owners have every permission automatically; super admins are not limited by them.
Why some permissions depend on others
Some permissions only make sense alongside another, so Tapimo links them. For example, Manage Order Status and Cancel Orders both need View Orders: you cannot act on orders you cannot see. When you grant a permission, Tapimo switches on anything it depends on; when you revoke one, it also revokes the permissions that relied on it. This keeps a staff member's access consistent.
Privileged accounts get extra protection
Some permissions are sensitive (managing staff, cancelling orders, changing venue settings, integrations, loyalty, discounts, theme). Anyone who holds one of these, along with every owner and super admin, is treated as a privileged account and must use:
- A stronger password: at least 12 characters with mixed case, a number and a symbol, and not one found in known data breaches.
- Multi-factor authentication (MFA).
Lockout after repeated failures
To stop password guessing, login locks for a while after several failed attempts. It clears on its own once the window passes, or as soon as a correct login succeeds.