Staff, Roles, Permissions & Attendance in Meztezz

A POS is the most powerful screen in your restaurant. It can void a bill, comp a starter, refund a card, edit a menu price, change the GST rate, and unlock the cash drawer — all in a few taps. Which is exactly why “everyone logs in as the owner” is the worst habit a new restaurant can fall into. Within a month you have no idea who cancelled the ₹4,000 dinner bill last Friday, and your books are arguing with the till.

Meztezz’s staff, roles and permissions system fixes this without turning your restaurant into a bureaucracy. Every cashier, waiter, and kitchen staffer gets their own login. Each role only sees the buttons that role is allowed to use. Sensitive actions (voids, refunds, big discounts) ask for a manager PIN. And when the day ends, the Attendance report tells you who was on the floor and for how long — sourced automatically from the same logins, no fingerprint scanner required.

This post walks through every screen involved — Settings → Users, Settings → Roles, Settings → Security, the Quick-Switch flow, the cloud-side Staff report — in plain language, in the order you’d configure them on day one.

💡 Who this is for. A working owner setting up Meztezz for their team, not an IT administrator. If you’ve read Setting Up Meztezz After Install, you’ve already touched §1.6 (Users) and §1.7 (Security) — this post is the deep dive on what those screens actually do.

The Staff & Security Map at a Glance

Five clusters of settings, sitting in three different places. Read top-to-bottom and you’ll be done in under an hour.

Cluster	What you’re setting	Where in the app
1. Roles	The list of job titles in your restaurant and what each one is allowed to do	Settings → Roles
2. Users	An account for every staff member, assigned to a role	Settings → Users
3. Manager PIN & approvals	The PIN that gates voids, refunds, big discounts	Settings → Security
4. App lock, lockout & shifts	Auto-lock timer, lockout-on-failed-login, optional shift tracking	Settings → Security
5. Attendance	Read-only report of who logged in, when, and for how long	More → Reports → Staff (terminal) / `app.meztezz.com → Reports → Staff` (cloud)

1. Roles — Who Can Do What

Open Settings → Roles. Meztezz ships with six predefined roles that cover most restaurants:

Role	Designed for	Default access (high-level)
Owner	You, the restaurant owner	Everything — every screen, every setting, every report. Cannot be deleted.
Manager	Shift managers, floor supervisors	Most operational screens (billing, KDS, tables, reports, menu, inventory, dashboard), can approve voids/refunds, can edit menu items and reopen the day-end. Cannot edit security settings or delete users.
Cashier	The person at the bill counter	Billing, tables, customers; can process cash, card and UPI payments and the cash drawer; can apply discounts within the limit.
Waiter	Floor staff taking orders	Billing and tables. Payment processing is off by default (see the Role Configuration toggle below).
Kitchen	Kitchen cooks reading KOTs	KDS screen only; cannot bill, cannot see prices.
Bar	Bar staff reading KOTs	KDS screen only; same restriction as Kitchen.

The six are deliberately tight. The point is that on day one, a freshly-created Cashier user can ring up a bill and accept cash — but cannot quietly comp a ₹500 starter or edit the menu — without you setting another single switch.

1.1 Looking at a system role

Click any of the six role names and you’ll see the Permission Matrix — every action in Meztezz grouped by category (Screen Access, Order Operations, Payment Operations, Discount Operations, KOT Operations, Menu Operations, Inventory Operations, User Operations, Settings Operations, Report Operations, Customer Operations, Table Operations, Audit Operations, and more). Each row is a permission with a one-line description.

On a system role, the name and description are locked — you can’t rename a system role or change its description. The permissions, though, are editable: an Owner can open a system role and tune its permission matrix. Most owners shouldn’t, because the defaults map cleanly to how a restaurant actually runs — but the option is there. If you need a role that’s different from a system role, the cleaner move is to clone it.

1.2 Creating a custom role

Click Add Role at the top right.

Field	Notes
Clone From (optional)	Pick an existing role to copy permissions from. Saves you ticking 40 checkboxes by hand. The default is “Start from scratch”.
Name	The role title staff will see — e.g. `Supervisor`, `Headwaiter`, `Trainee Cashier`
Description	One line for your own records.
Permissions	A category-by-category checklist. Tick exactly what this role can do.

Realistic examples a restaurant might add:

Supervisor — clone Manager, then turn off manage:reopen_z_report (so they can’t reopen a closed Z-report).
Trainee Cashier — clone Cashier, then turn off payment:refund, discount:apply, and order:void until they’ve earned the privilege.
Bar Cashier — clone Cashier, but ticked only for screens and items that make sense at a bar counter.

💡 One detail that matters. Marking an item as alcohol is driven by its category’s Alcohol flag, not by who’s selling it or which station it routes to. A custom “Bar Cashier” role lets a person bill alcohol; it doesn’t create alcohol items. See GST, VAT & Tax in Plain English § 5 for the alcohol pipeline.

You can edit or delete custom roles later. System roles can never be deleted.

2. Users — Adding Your Team

Open Settings → Users. Each row is one staff member with a Role badge, a green/red active dot, and a few quick action buttons.

2.1 Adding a user

Click Add User.

Field	Notes
Username	Lowercase, no spaces (dots and dashes are fine) — used at the password-login screen. Pick something short and memorable: `priya`, `cashier1`, `john.doe`.
Display Name	The friendly name shown inside the app and printed on the day’s reports.
Role	Pick from the six predefined roles or any custom roles you’ve created.
Password	At least 8 characters, with an uppercase, a lowercase, and a digit. The form blocks weaker ones.
Confirm Password	Has to match the above exactly.
Email	Optional, reference only.
Phone	Optional, reference only.

Hit Save. The user is created and appears in the list immediately.

2.2 Set their PIN (highly recommended)

Most restaurants don’t want their cashier typing an eight-character password every time a different person takes the next bill. Setting a PIN lets a user log in or switch to with 4–6 digits — fast at the counter, still personal to them.

From the user’s row, click Set PIN. The dialog asks for:

PIN (4–6 digits)
Confirm PIN (same again)

Meztezz blocks a number of obvious weak PINs (0000, 1234, 1111, sequences, repeats, etc.) — if your PIN is rejected, just pick a less predictable one. The strength rule applies to the manager PIN in §3 too.

2.3 Resetting a forgotten password

From the user’s row, click Reset Password. You’ll be asked for a new password (twice). The user will be forced to re-login on their next action.

If a user gets locked out (see §4.3), the same screen also has an Unlock Account action — visible only to roles with the user:unlock_account permission (Owner and Manager by default).

2.4 Editing or deactivating a user

The pencil icon edits the user’s display name, role and contact details. The trash icon deactivates the user — it doesn’t delete them. Deactivated users can’t log in, but their historical orders, KOTs, and audit-log entries stay intact and continue to show their name (so old reports keep making sense).

💡 You don’t need a user account per shift slot. Create one user per person, not one per shift. Two cashiers swapping at 4pm both log in as themselves; the shift-tracking feature (§4.4) handles per-shift cash separately.

3. Manager PIN & Approval Gates — `Settings → Security`

This is the single switch that stops a busy cashier from quietly absorbing mistakes into the till.

3.1 Setting the Manager PIN

Open Settings → Security. The first card is Manager PIN. Click Set Manager PIN (or Change Manager PIN if one already exists). Enter a 4–6 digit PIN, confirm it. Same weak-PIN blocklist as user PINs.

Who knows this PIN? You, the owner, and any senior staff you trust to approve voids and refunds in real time. It’s separate from any individual login PIN — it’s a system-wide approval PIN, not tied to a person.

3.2 Which actions require it

Once the Manager PIN is set, three toggles light up further down the page — they’re greyed out until a PIN exists.

Toggle	What it gates
Require PIN for Voids	Voiding an item or an entire order
Require PIN for Refunds	Any refund operation (see Refunds, Cancellations & Edits)
Require PIN for Comp Items	Marking an item as “complimentary”

Turn each on for your restaurant’s policy. Most owners turn on all three.

3.3 The discount threshold

There’s a separate Discount Approval Threshold — a rupee value. Any discount above this amount asks for the Manager PIN at the bill screen. The Security tab shows the currently-set threshold read-only, under Discount Controls, so you can see at a glance what amount triggers an approval.

There’s also a separate Cashier Discount Limit (a percentage) under Settings → Security → Role Configuration — the maximum % discount cashiers can apply without an approval. The two work together: a cashier can apply up to X% without a PIN, and up to Rs. Y without a PIN; cross either ceiling and a manager has to step in.

3.4 Forgot the Manager PIN

If you’ve forgotten it, the Forgot PIN? link on the same screen lets you reset it — owner password is required. Below that, Password Recovery Key lets you regenerate the 24-character recovery passphrase you were shown during install. If you ever forget the owner password itself, that recovery key is the only way back in.

4. App Lock, Lockout & Shifts

Same Settings → Security screen, a little further down. These are the quiet defaults that protect a busy counter at 11pm when nobody is looking at the screen.

4.1 Auto-Lock

Auto-lock after inactivity locks the screen after a set number of minutes of no activity. Options: Disabled / 2 / 5 / 10 / 15 / 30 minutes. A locked screen requires the logged-in user’s PIN to reopen (their login PIN, not the manager PIN). The default is sensible for most counters — pick the shortest you can live with.

Choose whether the login screen on app launch defaults to PIN or Password. PIN is faster for staff who switch through the day; password is appropriate if your terminal is in a back office and shared by fewer people.

4.3 Lockout on Failed Logins

Built in, not a setting you toggle. Five failed login attempts in quick succession lock the user out automatically:

The first lockout is 15 minutes.
Repeat offenders get progressively longer windows — 30, 60, 120 minutes.
After enough consecutive lockouts the account is permanently locked and a manager has to unlock it from Settings → Users → Unlock Account (§2.3).

There’s also a global rate limit that protects the terminal as a whole from a flood of attempts. You don’t configure it; it just does the right thing.

4.4 Shift Management (optional)

Toggle on Enable Shift Management if you want per-shift cash accountability — each staff member opens a shift with an opening cash float on login, and closes it with a closing cash count when they hand off. Orders are tagged with the active shift so you can reconcile per-shift cash variance.

If you leave it off, Meztezz uses day-level cash reconciliation instead, handled at day close (see End-of-Day: Day Close, Z-Report & Cash Reconciliation). Most single-shift outlets are fine with day-level; multi-shift or high-turnover counters benefit from per-shift.

4.5 Role Configuration toggles

Below Shifts is a small but useful Role Configuration block — three flips that fine-tune the predefined roles without writing custom ones:

Waiters Can Process Payments — off by default. Turn it on for casual-dining setups where the same person takes the order and the payment.
Kitchen Can View Inventory — on by default. Handy where the cook is also the storekeeper; turn it off if you’d rather kitchen staff didn’t see stock levels.
Cashier Discount Limit (%) — the percentage ceiling described in §3.3.

These three exist because they’re the toggles owners most often want to tweak; they save you from cloning a whole role just to flip one permission.

5. Day-In-The-Life: How Staff Actually Use It

A worked example. Pretend it’s 11am on a Tuesday.

App launches → login screen shows in the default mode (PIN, say).
Priya the cashier types her 4-digit PIN. She lands on the billing screen because that’s where her role’s screen:billing permission takes her by default. Other tabs (Reports, Settings) aren’t even visible to her.
A guest at Table 7 asks to void the last starter. Priya hits Void — the terminal asks for Manager PIN. She calls Rakesh over; he types it. The item is voided and a row appears in the audit log: who voided, what, when, and approved by whom.
Lunch rush ends, Priya goes on break. She doesn’t log out — she just walks away. After 5 minutes the screen auto-locks. The terminal is safe.
3pm shift change. Anil takes over. From the locked screen Anil hits Quick Switch User, picks his name, types his PIN — he’s in. Priya’s session is gone.
Anil mis-types his PIN five times while distracted. The terminal locks his account for 15 minutes. He fetches his manager, who unlocks it via Settings → Users and reminds him to use his actual PIN.
End of day. The day is closed, the Z-report prints, and the attendance numbers (next section) update with each person’s hours.

That’s the whole rhythm. No fingerprint scanner, no biometric clock-in — your logins are the attendance system.

6. Attendance — The Quiet Side-Effect

Every time anyone logs in (or switches in via PIN), Meztezz starts a session. Every action they take extends it. When they log out (or auto-lock + don’t return), the session ends. Roll up a week of those sessions and you have an attendance log.

6.1 On the terminal

More → Reports → Staff (assuming the user has report:staff or report:full permission — usually Owners and Managers). The Staff report shows, per person, their session count, hours logged, days active, first login, and last activity for the selected period.

6.2 On the cloud dashboard

app.meztezz.com → Reports → Staff has the same data plus four sub-tabs:

Leaderboard — top-performing staff by orders / revenue / tip.
Attendance — the same view as the terminal but rolled up across outlets if you run a chain.
Auth Log — every login, logout and PIN failure with timestamps. Useful when investigating “who voided that bill at 11:47pm”.
Compare — pick two staff members and put their numbers side by side.

The KPI cards above the table give you the headline at a glance: Active Staff, Total Sessions, Total Hours, Avg Hours/Staff. If nothing shows up, the “Attendance requires a recent terminal version” empty state tells you the outlet’s terminal predates the attendance sync — update it and the data will start flowing.

6.3 What the numbers really mean

Three things worth understanding so you don’t read them wrong:

Sessions is a count of logins, not of shifts. A cashier who quick-switches in and out three times in a busy hour racks up three sessions.
Hours Logged is wall-clock time between login and last activity — not a payroll-grade clock-in. A user who logs in, walks away, and gets auto-locked an hour later will still log that hour. For exact wages, cross-reference against Shift Management (§4.4) or an external attendance system.
Days Active counts distinct calendar dates the user had at least one session — handy for “how many days did Priya work this month”.

💡 Attendance is not payroll. It’s accurate enough to settle “who was here on Friday night” arguments and to flag patterns (“Anil only worked three days last week”), but it doesn’t replace a formal HR system. Most owners use it for staffing decisions and incident investigations, not for salary calculation.

7. Audit Log — The Who/What/When Trail

Every sensitive action — voids, refunds, comp items, role changes, settings changes, password resets — writes a row to the audit log automatically. Users with audit:view permission (Owner by default; you can grant it to Manager) read it at More → Audit Log on the terminal or app.meztezz.com → Audit on the cloud.

A typical row says: “2026-05-31 21:14, Rakesh (Manager) voided 1 item on Order #2031, approved by Owner PIN”. That’s the level of detail you want when reconciling on a Monday morning.

The audit log can’t be edited from the app — by design. If someone could quietly delete their own void from the log, the log would be worthless.

8. What Meztezz Doesn’t Do Yet

Honest list. If you need any of these, you’ll need a workaround outside the app for now.

Biometric or RFID clock-in. Logins are the attendance source. We don’t integrate with fingerprint scanners or face-recognition terminals today.
Schedule / roster management. Meztezz tells you who showed up; it doesn’t tell anyone to show up. Use your existing scheduling tool and let Meztezz be the actuals.
Payroll calculation. Attendance and shifts give you hours; the multiplication is yours.
Per-role data scoping beyond what permissions provide. E.g. “Manager A can only see Outlet 1’s reports” is partially supported via outlet-scoped users on the cloud, but per-role outlet filtering is a coarser cut today.
Two-factor authentication (2FA). Today’s logins are password / PIN. SMS or authenticator-app 2FA isn’t shipped yet.
Cloud-side role editing. Roles and permissions are edited on the terminal — the cloud Staff reports are read-only views of the data.

If any of these are blockers, mail us — knowing which ones owners hit is how we prioritise.

9. A Five-Minute Sanity Check Before Going Live

Run this once, the first week.

Create a real Cashier user, give them a PIN, and log in as them. Confirm they see only billing, tables, customers — no Settings, no Reports.
Try to void an item. It should ask for Manager PIN.
Try to apply a large discount (above your threshold). It should ask for Manager PIN.
Mistype the PIN five times as a fake user (create a throwaway one for this). The account should lock and tell you how long for.
Unlock it from Settings → Users.
Walk away for the auto-lock duration. The screen should lock; your PIN should unlock it.
Open the Staff report. The session you just generated should be there, with the right name and role.
Open the Audit Log. The void you just did should be on the first line with the correct user names and timestamp.

If anything didn’t behave that way, the fix is almost always in Settings → Roles (permission missing or extra) or Settings → Security (a toggle off that should be on).

A Few Habits That Save Money

A short list, pinned because owners we’ve talked to wish they’d done these on day one.

Set the Manager PIN before the first shift. Without it, the void/refund/comp gates are off, and any cashier can make those decisions on their own. Five minutes you’ll thank yourself for.
Give every person their own login. Even your spouse. Even the partner who comes in once a week. Shared logins make the audit log lie.
Never share the recovery key. It’s the master key to the whole system. Take a photo, store it somewhere safe (a password manager), and treat it like a passport.
Read the Staff report once a week. Patterns like “this cashier logged in for only 2.5 hours all week” or “all the voids on Saturday came from the same shift” jump out fast.

Stuck? We’re Here to Help

If anything isn’t behaving the way this post describes — a permission that doesn’t seem to gate what you’d expect, a PIN that won’t set, a staff member whose hours look wildly off, the cloud Staff tab stuck on the “recent terminal version” empty state — drop us a line at bazimat@gmail.com or contact us. Tell us which screen, which user, and what you expected vs. what you saw. We’ll usually have you sorted in a single back-and-forth.

Roles, permissions and attendance are the unglamorous plumbing of a restaurant POS — but they’re what turns a powerful machine into a safe one. An afternoon of setup here is the cheapest insurance your kitchen will ever buy.