Roles and permissions control what each staff member can view, change, approve, and administer in Lupa. Use this page when you need to build reusable access roles, such as Reception, Nurse, Vet, Manager, Finance, or Company Admin, and assign those roles to active team members.
💡 In short: Go to company-level Admin Settings → Staff → Permissions, define what each role can do in Role Definition, then assign one or more roles to each employee in Employee Roles.
Before You Begin
📍 Permissions required: You need Company Admin access to manage this area. To change the permission matrix you need Define Roles. To assign roles to staff you need Assign Roles.
Roles and permissions are access control. Keep nearby staff setup in its own page so each setting stays clear:
Area | Use it for | Do not use it for |
Roles and permissions | Controlling what staff can see, create, update, approve, and administer in Lupa. | Changing someone's job title, clinic membership, rota, or appointment-type eligibility. |
Staff profiles | Names, login email, phone number, visible job role label, vet registration number, avatar, signature, password reset, and archive status. | Granting access to restricted tools or settings. |
Staff locations and assignments | Adding staff to clinics and deciding whether they appear in a clinic's calendar. | Deciding what they can do once they are inside Lupa. |
Qualifications and certifications | Choosing which appointment types each staff member can cover. | Granting access to settings, finance, analytics, inventory, or admin tools. |
⚠️ Role names and job roles are different. The Job Role on a staff profile is a label, such as Veterinarian or Reception Staff. The roles on this page are permission groups that control access.
How Roles Work
A role is a reusable set of permissions. You define the role once, then assign it to any staff member who needs that access. Staff can have more than one role, and their final access is the combination of all roles assigned to them.
Concept | What it means |
Permission | A specific access rule, such as Full Analytics Access, Inventory, Perform stocktake, Complete stocktake, Manage product batches, Medication Management, Assign Roles, Manage Employee Stores, View order pricing, or Override Linked Fees. |
Role | A named bundle of permissions, such as Admin, Core, Support, Reception Lead, or Finance. |
Employee Roles | The roles assigned to an individual staff member. |
Company Admin | The full-access permission. Staff with this permission pass permission checks across Lupa. |
🔒 Lupa protects your admin setup. At least one role must keep Company Admin, Define Roles, and Assign Roles, and you cannot remove every admin-capable role from your own user.
Manage Role Definitions
Open Role Definition
Open company-level Admin Settings.
In Staff, click Permissions.
Open the Role Definition tab.
The table is a permission matrix:
Part of the table | What it means |
Rows | Individual permissions. Use the information icon beside a permission to see what it allows. |
Groups | Business areas, such as Admin, Analytics & Reporting, Appointments & Scheduling, Finance & Billing, Inventory & Products, and Tasks. |
Columns | Your practice's roles. Ticked boxes show which permissions belong to that role. |
Filter permissions | Searches permission names, descriptions, groups, and subgroups. |
Save Changes | Applies permission changes. It becomes available after you make a change. |
Some groups only appear when the matching feature is enabled for your company, such as Hospitalisation, Price Factor, or Lupa Pay.
Add a New Role
Click Add New Role.
Enter the role name.
Click Add Role.
Tick the permissions that role should include.
Click Save Changes.
💡 A new role starts with no permissions. It will not give staff extra access until you tick permissions and save the role definition.
Edit an Existing Role
Find the role column you want to update.
Tick permissions to add access, or untick permissions to remove access.
Use Filter permissions when the table is long.
Click Save Changes. Changes affect every employee who has that role. For example, if the Support role gains Inventory, every employee assigned to Support gains inventory access after the change is saved.
Delete a Role
In Role Definition, click the delete icon beside the role name.
Type the role name to confirm.
Click Delete. Deleting a role archives that role so it is no longer used for access. Lupa hides the delete option when deleting the role would leave no role capable of administering permissions.
⚠️ Review employees before deleting a role. If a role is still assigned to staff, removing it may immediately reduce their access.
Assign Roles to Employees
Open Employee Roles
Open Admin Settings → Staff → Permissions.
Click Employee Roles.
Use Filter employees to find the staff member.
The table shows active employees in your current company or store context. Archived staff are managed from Staff profiles and do not appear here for role assignment.
Change a Staff Member's Roles
Find the employee in the table.
Open the Roles picker in their row.
Select or clear the roles they should have.
Click Select.
Review the confirmation message.
Click Confirm.
Lupa shows which roles are being added or removed before it applies the change. If you are changing your own account, Lupa blocks changes that would remove all admin-capable access from you.
✅ Best practice: Build a small number of clear roles, then assign multiple roles when someone genuinely works across areas. This is easier to audit than creating a different one-off role for every person.
Permission Groups Reference
Group | Examples of what it controls |
Admin | Full company access and company-level governance. |
Business & Staff Management | Practice information, staff profiles, employee store assignments, and role or permission management. |
Appointments & Scheduling | Booking settings, rota viewing and editing, appointment types, appointment duration changes, rooms, and consent forms. |
Finance & Billing | Billing access, discounts, refunds, credit notes, write-offs, invoice unlocking, overriding linked fees (such as dispensing and injection fees), financial locks, Lupa Pay, and client billing holds. |
Analytics & Reporting | Full or limited analytics access, cashup access, and custom reporting data sources. |
Inventory & Products | Stock access, stocktake entry, stocktake completion, batch management, product controls, VAT controls, reference lists, service list management, list archiving, and viewing order pricing (cost, mark-up, and line total when processing inventory orders). |
Prescriptions & Medication | Creating, updating, and deleting prescriptions, including repeat medications. |
Insurance & Integrations | Insurance access, submitted claim updates, integration settings, and Microsoft 365 app authentication management. |
Communication & Client Preferences | Client chat, internal chat, campaigns, bulk emails, and communication preference controls. |
Settings & Customization | Health plans, Lupa billing settings, and security settings. |
API Keys | Creating and updating API keys for third-party integrations. |
Tasks | Reading, managing, and viewing tasks across the company. |
🔒 Give the smallest access that lets the person do their work. Keep Company Admin, finance controls, API keys, security settings, and role-management permissions limited to people who are responsible for those areas.
Tips
✅ Best practices for clean access control:
Keep one admin role with Company Admin, Define Roles, and Assign Roles.
Use job-based roles for common access patterns, such as Reception, Nurse, Vet, Practice Manager, Finance, and Support.
Assign more than one role when someone covers multiple responsibilities instead of creating a one-person role.
Review roles when staff change role, move site, join finance workflows, or leave the practice.
Keep clinic membership in Staff locations and assignments and appointment eligibility in Qualifications and certifications.
Check high-risk permissions regularly, especially Company Admin, finance controls, API keys, security settings, prescriptions, and role management.
Troubleshooting
Problem | What to do |
I cannot see Permissions | You may not have company-level admin access or role-management permissions. Ask an administrator to review your access. |
The Role Definition tab is disabled | You need Define Roles to edit the permission matrix. |
The Employee Roles tab is disabled | You need Assign Roles to change staff role assignments. |
Save Changes is disabled | Make a change first. If you removed the last admin-capable role, restore Company Admin, Define Roles, and Assign Roles on at least one role. |
A staff member is missing from Employee Roles | Check that the staff profile is active and belongs to the current company or store context. Archived staff are managed from Staff profiles. |
Changing Job Role did not change access | That is expected. Job Role is a profile label. Assign permissions from Employee Roles instead. |
A new role did not give anyone access | Tick permissions in Role Definition, click Save Changes, then assign the role to employees in Employee Roles. |
A person still cannot access a clinic | Permissions decide what they can do. Clinic membership is separate. Add them to the clinic in Staff locations and assignments. |
A person still cannot be selected for an appointment type | Appointment-type eligibility is separate from permissions. Update the Staff Qualifications table. |
Frequently Asked Questions
Is Role the same as Job Role?
No. Job Role is the label on a staff profile, such as Veterinarian or Reception Staff. A permissions role is an access group used to decide what the person can do in Lupa.
Can one staff member have multiple roles?
Yes. Assign multiple roles when someone covers more than one responsibility. Their access is the combined access from all assigned roles.
Does assigning a role add someone to a clinic?
No. Clinic membership is managed separately in Staff locations and assignments.
Does assigning a role make someone qualified for appointment types?
No. Appointment eligibility is managed in Qualifications and certifications.
What happens if I edit a role that many staff use?
Every staff member with that role receives the updated access after you save the role definition.
Should everyone have Company Admin?
No. Company Admin gives full access. Keep it for trusted administrators who are responsible for company-wide settings and access control.




