How does the permission system work (module.action strings)?

Permissions are expressed as module.action strings — for example Orders.ViewOrders or Vendors.ManageVendorMode — grouped into roughly twenty modules (AccessControl, Dashboard, Catalogue, Vendors, Orders, Fulfilment, Payments, Delivery, Inventory, Settlement, Support, CRM, Marketing, Loyalty, Wallet, Quotes, Subscriptions, Approvals, Analytics, Templates). Each module exposes standard…

Permissions are expressed as module.action strings — for example Orders.ViewOrders or Vendors.ManageVendorMode — grouped into roughly twenty modules (AccessControl, Dashboard, Catalogue, Vendors, Orders, Fulfilment, Payments, Delivery, Inventory, Settlement, Support, CRM, Marketing, Loyalty, Wallet, Quotes, Subscriptions, Approvals, Analytics, Templates). Each module exposes standard actions (view/create/edit/delete) plus module-specific ones. Roles are collections of these permission strings, and controller actions are gated by them, so access control is fine-grained rather than all-or-nothing. A seeded Super Admin role holds every permission and cannot be deleted, which guarantees there is always an account that can administer the system. Because permissions are data, a super admin can define new roles and assign exactly the permissions each needs.