Now in open beta — close the books in 2 days, not 2 weeks.Read the case study →
Retail & POS · January 15, 2026 · 8 min read

POS user permissions: role-based access for cashiers

A part-time cashier should not be able to apply a 50% discount, void yesterday's sale, or print last month's Z-report. If your POS does not enforce that, your margins are bleeding and you cannot prove who did what. Permissions are the cheapest fraud control you have.

The four roles every retail POS needs.

Most retailers overcomplicate roles. You need four: Cashier, Senior Cashier, Branch Manager, and Owner. Anything more granular is theater. Anything less and you are forcing a 19-year-old to either be helpless or to be an admin.

A Cashier rings sales, takes payment, prints receipts, and does small refunds. A Senior Cashier covers shift handover and small voids. A Branch Manager handles discounts above threshold, returns without receipt, and end-of-day. The Owner role is for you and your accountant.

CashierSales + tiny refundsSenior Cashier+ handover + voidsBranch Manager+ discounts + EODOwner+ COA + tax setup
Four roles cover 99% of retail. Five+ roles is theater. Three or fewer is a 50% discount waiting to happen.

What cashiers should never be able to do.

Cashiers should not be able to delete transactions, change prices, apply percentage discounts above a small threshold, refund without manager PIN, or view sales reports for other cashiers. Every one of those, given casually, is a vector for shrinkage.

A common chain-retail story: the owner trusted a senior cashier with full access for years. When the cashier left, an audit found over £8,000 in refunds processed to a personal card. The fix is not to never trust cashiers — it is to make trust irrelevant by removing the capability.

No delete txnOnly void with approvalNo price overrideManager PIN gateNo refund > £30Manager PIN gateNo other-cashier reportsBranch-scoped onlyNo stock adjustInventory blocked
Five capability gates that make trust irrelevant. The £8k refund-to-personal-card story stops happening when these are off.
  • No delete on completed transactions, ever — only void with manager approval
  • No price overrides without a manager PIN
  • No refunds over £30 without a manager PIN
  • No access to other cashiers' shift reports
  • No access to inventory adjustments

Manager PIN vs manager login.

A manager PIN is a four-to-six digit code the cashier types at the terminal when they hit a permission gate. A manager login is a full session switch where the manager types their password. Use PINs for fast in-line approvals, logins for back-office work.

PINs need to be rotated when staff leave, which 80% of retailers forget to do. Nonari prompts you on every termination to rotate the affected PINs. If your system does not, set a calendar reminder for the first of every month.

Branch-scoped vs global permissions.

A cashier hired for the Manchester branch should not be able to log into the Birmingham terminal. That is branch scoping, and most cheap POS systems do not enforce it. They check role, not branch.

In Nonari every staff account has an explicit branch list. A Cashier role with access to Manchester-Trafford cannot ring sales in Birmingham-Bullring even if they share the role. The permission matrix at /settings/permissions is the single source of truth — everything flows from there.

Time-of-day and shift restrictions.

A cashier scheduled for the morning shift should not be able to log in at midnight. A retail POS that allows after-hours logins is a POS that allowed the cleaning crew to do £1,200 in fake refunds last December. Yes, this happens.

Shift restrictions are not common in mid-tier POS, but they are worth asking about. At minimum, your system should log every login attempt with timestamp and IP so you can review unusual patterns weekly.

The discount permission that catches everyone.

Cashiers love discounts because customers love discounts and a happy customer is a fast queue. The problem is that a 10% discount on every sale costs you 10% of margin, which on retail margins is most of your profit. Cap discounts at £2 or 5% per cashier, whichever is lower.

Anything above goes to a manager. Yes it slows the queue. That is the point — discounts should be slightly inconvenient so they get used only when they should. Track discount totals per cashier weekly and the conversation writes itself.

Auditing who did what.

Permissions only matter if you can audit them. Every void, refund, discount, and price override should write a row to an audit log with cashier ID, manager who approved (if any), timestamp, terminal, and amount. That log should be immutable and exportable.

When something goes wrong, you do not want to be reading printed receipts. You want a CSV with every override in the last 30 days that you can sort by cashier and amount. Pull that report monthly as a standing review item.

Onboarding and offboarding the right way.

New cashier hired Monday: create the account before they show up, assign role and branch, print a one-page card showing what they can and cannot do. Old cashier leaves Friday: deactivate the account before they walk out the door, rotate the manager PIN if they had it, change the back-office WiFi password if they used it.

A surprising number of retailers leave deactivated accounts in the system because deactivating feels permanent. Deactivate, do not delete. The audit trail stays intact and a returning seasonal worker can be reactivated in seconds.

Frequently asked

Common questions.

Can two cashiers use the same account at one terminal?

No, never. If two people share a login, you cannot tell who rang which sale, and your variance accountability is gone. Even at small shops where it feels easier, give each cashier their own account. Switching takes three seconds and saves hours of forensic work later.

Should the owner have a different role than the manager?

Yes. Owner role can change tax rates, modify the chart of accounts, and delete data. Manager role cannot. Even if you are the owner, log in as Manager for daily work and switch to Owner only for setup tasks. It saves you from typo disasters.

How often should I rotate the manager PIN?

When any manager leaves, immediately. Otherwise every 90 days at minimum. Use a four-digit PIN that nobody can shoulder-surf at the terminal. Avoid 1234, year of birth, or anything written on the terminal. Yes, people write the PIN on a sticky note. That is also the joke.

Can I see what a cashier did on a specific day?

You should be able to. Look for a per-cashier activity report or audit trail filtered by date and user. Every transaction, void, refund, login, and logout should appear with timestamps. If your POS does not give you this, you cannot do real shrinkage investigation.

Read next

Keep going.

Try nonari

Put your books on autopilot.

Free to start. No credit card. Bring your books, kick the tires, export everything if you decide to leave.