Skip to Content
FeaturesTeam Management

Team Management

Overview

Team Management lets vendors add staff members to their Siyahfy admin panel with role-based access control. Store owners can create custom roles with granular permissions, invite team members, and restrict which sections of the dashboard each team member can access. This is essential for businesses where multiple people manage different aspects of the store — one person handles orders, another manages products, and a third runs marketing.

How It Works

Role-Based Access Control

Each role defines which pages and actions a team member can access:

Permission AreaExamples
ProductsView products, create products, edit products, delete products
OrdersView orders, fulfill orders, cancel orders, process refunds
CustomersView customers, edit customers, export customers
AnalyticsView dashboard, view reports, export data
SettingsManage payments, manage shipping, manage team
MarketingView campaigns, create campaigns, manage discounts

Staff Login

Staff members log in through a separate authentication flow:

  1. Store owner creates a staff account with email and role assignment.
  2. Staff receives login credentials.
  3. Staff logs in via the staff login endpoint.
  4. The system validates credentials and checks vendor access permissions.
  5. A JWT token is issued with the staff’s role and allowed routes encoded.
  6. The frontend uses the allowed routes to show/hide menu items and pages.

Phone OTP for Staff

Staff members can optionally verify their phone number via OTP for additional security or two-factor authentication.

Key API Endpoints

Role Management

POST/api/manageRolesAuth Required

Create or update a role with name, description, and permissions

GET/api/getUserRolesAuth Required

List all roles defined for a vendor's store

POST/api/saveRoutesAuth Required

Save the allowed routes/pages for a role

DELETE/api/deleteUserRolesAuth Required

Delete a role (staff with this role lose access)

Staff Authentication

POST/api/Staff/login

Staff member login with email and password

POST/api/update-staff-phone-otpAuth Required

Send OTP to staff phone for verification

Access Control

POST/api/vendor/allowed-pageAuth Required

Check if the current user's role allows access to a specific page/route

GET/api/vendor/status-checkAuth Required

Check vendor account status and subscription validity

POST/api/vendor/checkstoreExistsAuth Required

Verify a store exists and the user has access to it

Database Tables

TablePurpose
user_rolesRole definitions — name, description, vendor_id
role_permissionsPermissions assigned to each role (routes, actions)
staff_accountsStaff member accounts — email, password hash, role_id, vendor_id
vendor_accessVendor access settings and allowed routes per role
  • Integrations — Firebase Auth may be used for staff authentication
  • Orders — Staff commonly need order management access
  • Products — Product management is a key staff permission area
  • Analytics — Report access can be restricted by role
Bulk OperationsIntegrations