Overview
Security groups are the main way to control what users can see and do in QBM. Instead of setting every permission on every user one by one, you create a group, define its rights, and then assign users to that group.
Main purposeControl access by job role
Typical examplesSales, cashier, accounts, inventory, manager
Important ruleEach user can belong to one group only
Important: A user cannot belong to multiple groups at the same time. If a user is already assigned to one group, they must be removed from that group before they can be added to another.
Before You Start
Tab Path: Security > User Groups List
Before creating or changing groups, decide what each team actually needs in daily work. A clean setup is easier to manage than a long list of special exceptions.
- Create groups by role, not by person.
- Keep powerful rights only for trusted users.
- Test a new group with one user before assigning it widely.
- Keep inactive groups instead of deleting them when you may need them again later.
How Security Works
QBM security is layered. The group controls access to screens, transactions, master records, miscellaneous features, user-interface areas, and external applications.
| Layer | What It Controls |
|---|---|
| Forms | Whether the user can open a screen, work with it fully, open it read-only, and print from it. |
| Transactions | Whether the user can view, create, edit, delete, or print daily documents such as invoices, receipts, payments, and similar transactions. |
| Entities | Whether the user can work with lists and master records such as customers, vendors, items, employees, and accounts. |
| Misc | Access to supporting features and utilities that do not fit in the main transaction or entity areas. |
| User Interface | Access to sections of the QBM interface and navigation areas. |
| Applications | Whether the group can use linked applications, and whether that access applies to all locations or all employees. |
Edition note: Some permission tabs or features appear only when they are available in your QBM edition. For example, advanced security and some modules may show more detailed rights than basic editions.
Enum Families Used By Security Groups
You do not need to know the internal enum names to assign security in QBM, but support teams and administrators may see these names in technical notes or development discussions. The table below matches those internal families to the business meaning you see on screen.
| Internal Family | How QBM Uses It | Business Meaning |
|---|---|---|
| SecurityObjectTypes | Controls the main security tab type, such as Forms, Transactions, Entities, User Interface, Miscellaneous, and Application. | This is the broad security layer you are editing. |
| AccessRights | Uses values such as No Access, Full Access, Read Only Access, and Partial Access. | This defines how much control the group has over each row. |
| SecuritySubGroups | Organizes permissions under headings such as Company, Customers, Vendors, Inventory, Accounts, Employees, Utilities, POS, Approvals, and Activities. | This is how QBM keeps the permission tree readable and grouped by business area. |
| TransactionSecurityMembers | Supplies the rows in the Transactions tab, for example SalesInvoice, SalesReceipt, ReceivePayment, PurchaseInvoice, PayBills, BankDeposit, and TransferItems. | Each row represents a daily transaction or document users may create, view, edit, delete, or print. |
| EntitySecurityMembers | Supplies the rows in the Entities tab, for example Customer, Vendor, Product, Employee, Account, Location, User, and SecurityGroup. | Each row represents a master record, setup list, or core business file. |
| MiscSecurityMembers | Supplies the rows in the Misc tab, such as discounts, changing prices, POS controls, approvals, reminders, quick search, print, email, and company-wide control switches. | These are the operational permissions that do not fit neatly under one screen or one transaction type. |
| User Interface security | Controls menus, menu items, and centers such as Customer Center, Vendor Center, Inventory Center, Account Center, Company Center, and Report Center. | This decides which navigation areas the user can see and open. |
Helpful tip: The names users see in QBM are usually friendlier than the internal enum names. For example, a technical name such as GiveSalesDiscount appears on screen as a normal business permission such as Give Discount.
User Groups List
Tab Path: Security > User Groups List
The User Groups List is the starting point for managing groups. It shows existing groups and allows you to open, create, copy, delete, export, and import them.
| Action | What It Does |
|---|---|
| New | Creates a new group from the beginning. |
| Open | Opens the selected group so you can review or change its settings. |
| Copy Group | Copies an existing group and its rights, which is useful when a new role is very similar to an existing one. |
| Delete | Deletes the selected group if you have permission and no business reason to keep it. |
| Export | Saves the selected group to an XML file for backup, transport, or reuse. |
| Import | Loads a previously exported group from XML. |
| Inactive | Shows or hides inactive groups in the list. |
Group Details
Tab Path: Security > User Groups List > Open Group
The Group Details screen has a main group header and then tabs for permissions and users.
| Field | Meaning |
|---|---|
| Name | The group name shown in QBM. Use a clear business name such as Sales Users, Accounts Team, or POS Cashiers. |
| Description | A short explanation of the group’s purpose. |
| Note | Internal notes about how the group should be used, special limits, or approval instructions. |
| Inactive | Makes the group inactive so it is no longer used for new assignments while still keeping its setup for history or future reference. |
| Maximum discount percentage allowed to give | Limits how much manual discount members of this group can give. This is useful for protecting margins and approval policies. |
| Maximum document size allowed for attachments | Controls the largest attachment size users in this group can add to documents. |
Permission Tabs
The Permissions tab is divided into several sub-tabs. Each one controls a different type of access.
Forms
Use this tab to control access to QBM screens and reports.
| Permission | What It Means |
|---|---|
| No Access | The user cannot open the form. |
| Full Access | The user can open the form and use it normally. |
| Read Only | The user can open the form but should not be able to save changes. |
| The user can print from the form when printing is available. |
Transactions
Use this tab for daily business documents such as invoices, receipts, payments, and operational entries.
| Permission | What It Means |
|---|---|
| No Access | The transaction is not available. |
| Full Access | The user has all available rights for that transaction. |
| View | The user can open existing records and review them. |
| Create | The user can create new documents. |
| Edit | The user can change existing documents. |
| Delete | The user can remove documents where deletion is allowed. |
| The user can print those documents. |
Entities
Use this tab for master records such as customers, vendors, items, employees, accounts, and other setup lists.
| Permission | What It Means |
|---|---|
| No Access | The list or record is hidden or unavailable. |
| Full Access | The user has all available rights for that entity. |
| View | The user can review records. |
| Create | The user can add new master records. |
| Edit | The user can change existing records. |
| Delete | The user can delete records where that is permitted. |
| The user can print related lists or forms. |
Misc
This tab controls supporting functions and utilities. The column is simply Access. If it is ticked, the group can use that feature. See the detailed Misc Permission Reference below for the internal names and plain-language meanings used by QBM.
User Interface
This tab also uses an Access column. It controls whether the group can use specific parts of the QBM interface or navigation structure.
Use care with Full Access: Full access is convenient, but it gives very broad control. In most cases, it is better to assign only the specific rights the role needs.
Misc Permission Reference
Tab Path: Security > User Groups List > Open Group > Permissions > Misc
The Misc tab is built from the internal MiscSecurityMembers list in QBM. These permissions are especially important because they affect pricing, approvals, reminders, navigation, POS behavior, and company-wide controls.
What users will notice: some Misc permissions appear only when a related module or edition feature is active, such as Multi Currency, Fixed Assets, Approvals, Activities, or some advanced employee controls.
Utilities
| Reference Name | What It Means In QBM |
|---|---|
| ExportData | Allows the user to export information from QBM to a file or another supported output. |
| ImportData | Allows the user to bring approved data into QBM from an external source. |
| Allows printing from supported screens and reports. | |
| Allows documents, reports, or outputs to be sent by email from QBM. | |
| SendDataToFile | Allows sending document or report output to a file, such as PDF or another supported format. |
| Backup | Allows the user to run the database backup process. |
| QuickSearch | Allows the user to use QBM quick search tools. |
| ExportDataToFTP | Allows exported data to be sent to an FTP destination when that process is used. |
| BrowseWeb | Allows the user to open supported web links from inside QBM. |
Company
| Reference Name | What It Means In QBM |
|---|---|
| Delete | Allows deletion of transactions and master records where deletion is otherwise permitted. |
| Edit | Allows users to change existing records more broadly instead of only viewing them. |
| DeleteActivityLog | Allows activity log entries to be removed. |
| SetupCustomFields | Allows setup of user-defined fields and similar custom field structures. |
| ViewItemsCostPrice | Allows users to see item cost prices. |
| ViewProfits | Allows users to see profit or margin information. |
| ChangePrintTemplateDetails | Allows editing of print template details and layout-related settings. |
| LoadPrintTemlates | Allows print templates to be loaded or imported into QBM. |
| AddADocumentToPrintTemplate | Allows an extra document to be attached to a print template output. |
| CompanySnapshot | Allows access to the company snapshot or high-level summary view. |
| HomepagePro | Allows use of the professional home page style. |
| HomepageStandard | Allows use of the standard home page style. |
| CalendarHomePage | Allows the calendar area to appear on the home page. |
| DocumentsHomePage | Allows the documents area to appear on the home page. |
| ActivitiesHomePage | Allows the activities area to appear on the home page. |
| ViewItemLastSales | Allows the user to see the last sales information for an item. |
| ViewItemLastPurchase | Allows the user to see the last purchase information for an item. |
| ChangeCompanySettings | Allows changes to sensitive company-wide settings. |
| CanModifyAccountsInCustomerTransctions | Allows account changes on customer transactions, such as changing the posting account on sales-related documents. |
| CanModifyAccountsInVendorTransctions | Allows account changes on vendor transactions, such as bills and purchase-related documents. |
| ViewCheckInfo | Allows the user to see check or checkbook details. |
| CanCloseFiscalYears | Allows fiscal years or periods to be closed. |
| ViewPayslip | Allows users to open and view payslips. |
| CanDepositFundsIntoAccounts | Allows the user to use deposit functions that move funds into accounts. |
| IsNextAndPreviousButtonsEnabled | Allows next and previous record navigation buttons to be used. |
| CanViewLineItemsInTransactionsList | Allows line-item details to be viewed from transaction list screens. |
| CanUseQuickAddToCreateEntities | Allows quick-add buttons to create records such as customers, vendors, or other entities without leaving the current screen. |
| CanViewOwnContactsOnly | Limits contact visibility to the user's own contacts when that feature is enabled for the company. |
| CanClockOtherUsers | Allows one user to clock in or clock out other users when advanced employee controls are active. |
Transactions And Entities
| Reference Name | What It Means In QBM |
|---|---|
| MultiCurrency | Allows multi-currency work where that feature is available in the company edition. |
| ChangeEntityNames | Allows names of master records, such as customers or vendors, to be changed. |
| ChangeDocumentNumber | Allows users to manually change transaction numbers. |
| ChangeDocumentDate | Allows users to change transaction dates. |
| DuplicateDocumentNumber | Allows saving a document even if its number duplicates another document number. |
| EmptyDocumentNumber | Allows a document to be saved without a transaction number. |
| ChangeDocumentsEmployeeID | Allows the employee or owner linked to a transaction to be changed. |
| ChangeLocations | Allows the location on a transaction to be changed. |
| ChangeDocumentsDueDate | Allows due dates on transactions to be changed. |
| AllowChangesToNonCurrentTransactions | Allows changes to transactions that are outside the current working period. |
Sales
| Reference Name | What It Means In QBM |
|---|---|
| SellOverCustomerCreditLimit | Allows sales to continue even when the customer is over the approved credit limit. |
| SellBelowItemCost | Allows an item to be sold below its cost price. |
| GiveSalesDiscount | Allows manual sales discounts, subject to any maximum discount setting on the group. |
| SellOnQuantityShortage | Allows selling even when available quantity is short. |
| ChangeItemSalesPrice | Allows the sales price on a document line to be changed manually. |
| SellBelowMinSalesPrice | Allows sales below the item's minimum allowed sales price. |
| ChangeUnitPriceInPOS | Allows the unit price to be changed in POS. |
| ChangeUOMInPOS | Allows the unit of measure to be changed in POS. |
| SalesItemDescriptionEnabled | Allows the item description on sales lines to be changed. |
| CanViewCustomerBalance | Allows users to see customer balance information while working on sales. |
| CanViewOwnSalesTransactionsOnly | Limits users to viewing only the sales transactions that belong to them when that feature is active. |
POS
| Reference Name | What It Means In QBM |
|---|---|
| RefundItemsInPOSSalesReceipt | Allows item refunds or return actions from a POS sales receipt. |
| POSItemDescriptionEnabled | Allows item descriptions to be changed in POS. |
| POSCanViewAllUserReports | Allows the user to view POS reports for all users, not only their own. |
| POSSellOnQuantityShortage | Allows POS sales to continue when item quantity is short. |
| POSCanSellOnCredit | Allows credit sales in POS. |
| POSCanEnterOpeningBatchTotal | Allows entry of the opening total when starting a POS batch or shift. |
| POSCanCloseBatch | Allows the POS batch or shift to be closed. |
| POSCanViewXReport | Allows viewing the POS X report. |
| POSCanViewZReport | Allows viewing the POS Z report. |
| POSCanCancelTransactions | Allows POS transactions to be canceled. |
| POSCanRemoveAddedItems | Allows line items already added to the POS ticket to be removed. |
| OpenDrawerInPOS | Allows the cash drawer to be opened from POS. |
| CtrlPlusPrintingEnabled | Allows printing from POS by using the keyboard shortcut for quick receipt printing. |
| CanChangeQuantity | Allows item quantity to be changed in POS. |
| ReduceQuantityFromItemDefaultLocation | Forces POS quantity reduction to use the item's default location. |
Reminders
| Reference Name | What It Means In QBM |
|---|---|
| OverdueInvoicesReminder | Shows reminders for overdue customer invoices. |
| OverdueBillsReminder | Shows reminders for overdue vendor bills. |
| ReceivedChecksReminder | Shows reminders for received checks that still need attention. |
| PaidChecksReminder | Shows reminders for paid checks that still need attention. |
| InventoryToReorderReminder | Shows reminders for items that should be reordered. |
| EmployeesToPayReminder | Shows reminders for employees due to be paid. |
| EmployeeDocumentsReminder | Shows reminders for employee documents that are expiring or need renewal. |
| ProductLotsExpirationReminder | Shows reminders for item lots nearing expiry. |
Fixed Assets
| Reference Name | What It Means In QBM |
|---|---|
| FixedAssetRecording | Allows fixed assets to be recorded in QBM. |
| FixedAssetDepreciation | Allows fixed asset depreciation processing. |
| FixedAssetDisposal | Allows disposal transactions for fixed assets. |
Approvals
| Reference Name | What It Means In QBM |
|---|---|
| CanApproveItemTransfers | Allows item transfers to be approved. |
| CanApproveSalesInquiries | Allows sales inquiries to be approved. |
| CanApproveSalesQuotes | Allows sales quotes to be approved. |
| CanApproveSalesOrders | Allows sales orders to be approved. |
| CanPrintIfNotApproved | Allows printing even when the document has not yet been approved. |
| CanApprovePurchaseInquiries | Allows purchase inquiries to be approved. |
| CanApprovePurchaseOrders | Allows purchase orders to be approved. |
| CanApprovePurchaseQuotes | Allows purchase quotes to be approved. |
| CanApprovePurchaseBills | Allows purchase bills to be approved. |
| CanApproveSalesInvoices | Allows sales invoices to be approved. |
| CanApprovePurchaseReturns | Allows purchase return documents to be approved. |
| CanApproveSalesReturns | Allows sales return or refund documents to be approved. |
Activities
| Reference Name | What It Means In QBM |
|---|---|
| OpenSalesOrders | Shows open sales orders in the activities area. |
| OpenSalesQuotes | Shows open sales quotes in the activities area. |
| OpenSalesInquiries | Shows open sales inquiries in the activities area. |
| NotApprovedSalesInquiries | Shows sales inquiries that are still waiting for approval. |
| NotApprovedSalesInvoices | Shows sales invoices that are still waiting for approval. |
| NotApprovedSalesOrders | Shows sales orders that are still waiting for approval. |
| NotApprovedSalesQuotes | Shows sales quotes that are still waiting for approval. |
| NotApprovedSalesReturns | Shows sales refunds or returns that are still waiting for approval. |
| OpenPurchaseOrders | Shows open purchase orders in the activities area. |
| OpenPuchaseQuotes | Shows open purchase quotes in the activities area. |
| NotDeliveredSalesInvoices | Shows sales invoices with outstanding delivery status. |
| OpenJobs | Shows open jobs or projects in the activities area. |
| PendingDeliveryNotes | Shows pending delivery notes in the activities area. |
| DeliveredNotInvoiced | Shows delivered documents that have not yet been invoiced. |
| OpenMaterialRequisitions | Shows open material requisitions in the activities area. |
| OpenPurchaseInquiries | Shows open purchase inquiries in the activities area. |
| NotApprovedInventoryTransfers | Shows inventory transfers that are still waiting for approval. |
| NotApprovedPurchaseBills | Shows purchase bills that are still waiting for approval. |
| NotApprovedPurchaseInquiries | Shows purchase inquiries that are still waiting for approval. |
| NotApprovedPurchaseOrders | Shows purchase orders that are still waiting for approval. |
| NotApprovedPurchaseQuotes | Shows purchase quotes that are still waiting for approval. |
| NotApprovedPurchaseReturns | Shows purchase returns that are still waiting for approval. |
Applications Tab
Tab Path: Security > User Groups List > Open Group > Permissions > Applications
The Applications tab controls access to linked or external applications listed for QBM.
| Column | Meaning |
|---|---|
| Name | The application name. |
| Description | A short explanation of the application. |
| Allow | Lets the group use that application. |
| All Locations | Applies the application access to all locations instead of a restricted location scope. |
| All Employees | Applies the application access to all employees instead of a restricted employee scope. |
Users Tab
Tab Path: Security > User Groups List > Open Group > Users
The Users tab shows which users belong to the group and allows you to add or remove users.
- Add Users: opens a selection window so you can assign users to the group.
- Remove User: removes the selected user from the group.
- Important: if a selected user already belongs to another group, QBM will warn that one or more users could not be added because they are already assigned elsewhere.
Best Practice
- Create a small number of clear role-based groups, such as cashier, sales, purchasing, inventory, and management.
- Copy an existing group when a new role is similar, then adjust only the differences.
- Use specific rights instead of Full Access wherever possible.
- Keep a separate high-control group only for trusted finance or management users.
- Review inactive groups and unused permissions from time to time.
Security note: The highest level of protected security administration is reserved for the special administrator account sa. Use that account carefully and only when needed.