What are roles and permissions, and how do they work together?

A permission is a single ability, named module.action — for example shipments.create, invoices.view, api.keys_manage. A role is a named collection of permissions, like manager or finance_staff. You give people roles; the roles carry the permissions. This keeps access manageable: instead of ticking dozens of abilities per person, you assign one role. Change the role once and everyone with it updates. Roles are scoped per company (teams). The same person can be finance_staff in Company A and support in Company B, and they will see different abilities in each. The super_admin role is special — it sees and controls everything across all companies. Use the roles matrix to view and adjust which permissions each role has. Every change is recorded in the audit trail.