# Available Permissions (ACL)
### Overview
The **ACL (Access Control List)** controls what an admin can **view** and **modify** in the Admin Panel.
Permissions are assigned per **resource** and come in two levels:
* **View**: read-only access.
* **Modify**: create, edit, delete, and run actions.
Anything not granted is hidden or disabled.\
Some API calls can return **403** when access is missing.
{% hint style="info" %}
Grant the minimum permissions needed for the job (least privilege).
{% endhint %}
### Where you manage permissions
You add these permissions in **Settings → Roles** when creating or editing a role.\
See [Roles](https://help.openloyalty.io/main-features/settings/roles).
### Common requirements and dependencies
{% hint style="warning" %}
Always grant **View → Stores** for new roles. Without it, the Admin Panel may not work.
{% endhint %}
Common dependencies:
* **Segments** often needs **Members** to view members inside segments.
* **Transactions** often needs **Members** for member-level transaction views and matching.
* **Issued rewards** often needs **Members** to open linked member profiles.
* Exports/imports require access to the underlying resources you export/import.
***
### Permission catalog
Use the sections below as a reference when building roles.
Tenants (Stores)
#### Tenants (Stores)
Access tenant-level data.
* **View**: required to display data across many screens.
* **Modify**: edit tenant-related configuration.
{% hint style="warning" %}
Removing this permission can break page loading and data visibility.
{% endhint %}
{% hint style="danger" %}
When adding a new tenant, it's not automatically assigned a role. A super admin or an admin with role modification permissions must update this setting (see **Settings / ACL**).
{% endhint %}
Settings
#### ACL
Manage roles and permissions.
* View roles
* Create roles
* Edit role permissions
{% hint style="info" %}
You need **ACL** to change any role configuration.
{% endhint %}
#### Admins
Manage admin users.
* View admin list
* Edit admin details
* Change passwords
{% hint style="warning" %}
Changing an admin’s role requires **ACL** permission.
{% endhint %}
#### Audit log
* View logs
* Filter by date range
* Export logs
#### Channels
* View channels
* Modify channel configuration
* Apply channel-related conditions
#### Language
* Manage system languages
* Add/remove languages
* Change display language from the top navigation
#### Translations
* Manage translation keys
* Edit localized system text
Useful for multi-language deployments.
#### Settings
Access tenant-level settings screens, including:
* Wallet types
* Activation settings
* Expiring units configuration
* Wallet overview on the dashboard
#### Technical settings
Access advanced technical configuration options.
Members
#### Members
* Members list
* Single member profile
* Activation/deactivation
* Member configuration
* Transaction matching
#### Segments
* Segment list
* Create/edit segments
* Use segments in campaigns, achievements, and rewards
{% hint style="warning" %}
Viewing members inside segments requires **Members** permission.
{% endhint %}
#### Custom events
* Manage custom events and schemas
* Use custom events in campaigns and achievements
#### Badge
* View badge data
* Edit badge names
* Modify completion counts
{% hint style="info" %}
You need at least **View** to see badges in achievements and member profiles.
{% endhint %}
Transactions
#### Transactions
* Transactions list and details
* Add/edit transactions
* View member transactions
* Match transactions
{% hint style="warning" %}
This typically requires **Members** permission to view related member data.
{% endhint %}
Analytics
#### Dashboard (General overview)
* View dashboard overview charts
* Filter dashboard data
#### Home
Access additional dashboard metrics, including:
* Total members
* Members without transactions
* Members with transactions
* Members by tiers
#### Single campaign view (Campaign overview)
* Campaign-specific analytics
* Filtering campaign metrics
Global management
#### Global management
* Global settings
* Key metrics across multiple tenants
* Cross-environment management
#### Usage
* Usage charts
* Total number of transactions
* Billable members across tenants
Rewards
#### Issued rewards
* Reward fulfillment list
* Change reward status
{% hint style="warning" %}
Opening linked member profiles requires **Members** permission.
{% endhint %}
#### Rewards
* View reward list
* Add/edit rewards
* Manage images
* Duplicate rewards
* Configure reward settings
{% hint style="warning" %}
Claiming rewards typically requires **Members** permission.
{% endhint %}
#### Rewards categories
* Manage reward categories
* Add new categories
{% hint style="warning" %}
Selecting categories during reward creation requires **Rewards** permission.
{% endhint %}
Imports / exports
#### Exports
* Export member lists
* Export members by tiers and segments
{% hint style="info" %}
Exports also depend on access to the exported resources.
{% endhint %}
#### Imports
* Import members
* Assign members to segments
* Import unit transfers
#### Mass actions
* View mass action logs
* Run bulk operations across the system
Wallets
#### Wallets
* View member wallets in the member profile
#### Unit transfers
* View unit transfer list and details
* Add/deduct units
* Cancel or expire transfers
Other modules
#### Webhook subscriptions
* View active webhooks
* Add/delete webhook subscriptions
#### Collections
* Manage collections
* Add new collections
{% hint style="warning" %}
Importing values into collections requires **Imports** permission.
{% endhint %}
#### Tiers
* View and edit tiers
* Manage tier sets
{% hint style="warning" %}
Exporting members from tiers requires **Exports** permission.
{% endhint %}
#### Campaigns
* View campaigns list
* Add/edit/duplicate campaigns
{% hint style="warning" %}
Correct campaign display often requires **Segments** and **Tiers** permissions.
{% endhint %}
***
### Default role
A role can be marked as **Default**.\
When enabled, it is assigned automatically to new admins created via SSO login.