Roles & Permissions — CanaryQMS Help Centre

CanaryQMS uses five roles to control access. Each user is assigned exactly one role.

Role Overview

Role	Purpose	Typical Users
Admin	Full system access including user management and configuration	IT administrator, QMS owner
Quality Manager	Creates, edits, and approves quality records. Manages training.	Quality Manager, Food Safety Manager
Quality Engineer	Day-to-day operations — creates and edits records but cannot approve	QA Technician, Quality Engineer, Lab Analyst
Approver	Reviews and approves CAPAs and documents. Cannot create records.	Department Head, Technical Director
Read Only	View-only access to all records, dashboards, and reports	External auditor, Senior management, Consultant

Permission Matrix

Permission	Admin	Quality Manager	Quality Engineer	Approver	Read Only
Manage users	✓
System configuration	✓
Create complaints	✓	✓	✓
Edit complaints	✓	✓	✓
Transition complaint status	✓	✓	✓
Create NCRs	✓	✓	✓
Edit NCRs	✓	✓	✓
Transition NCR status	✓	✓	✓
Create CAPAs	✓	✓	✓
Edit CAPAs	✓	✓	✓
Approve CAPAs	✓	✓		✓
Upload documents	✓	✓	✓
Approve documents	✓	✓		✓
Manage training	✓	✓
Complete training	✓	✓	✓	✓
Generate reports	✓	✓
Manage products	✓	✓
View all records	✓	✓	✓	✓	✓

Separation of Duties

Important: Regardless of role, a user cannot approve a CAPA or document they created. This is enforced at the system level to satisfy ISO 9001 Clause 7.5 and ISO 22000 requirements for independent review.

This means:

A Quality Manager who creates a CAPA must have a different Quality Manager or Approver approve it
A document uploaded by one user must be reviewed by a different user
The system will reject approval attempts where the approver is the creator

Changing Roles

Only Admin users can change roles. Navigate to Settings → Users, find the user, and select a new role from the dropdown. The change takes effect immediately.

Consider the principle of least privilege — assign the minimum role needed for each person's responsibilities.