Seller is the tenant. Everything else is a child.
Robnu's tenancy model is a four-level tree — Org → Seller → SellerUser → MarketplaceAccount. Seller is the unit of business; SellerUser is each teammate; MarketplaceAccount is each connection. Multi-account is free, super-admin impersonation is built in.
- Org is Robnu itself; Seller is your business; SellerUser is each human teammate.
- RBAC is OWNER | ADMIN | OPERATOR | FINANCE | VIEWER — five roles, real permissions.
- ImpersonationSession lets Robnu staff support you with a full audit trail.
What you get.
Seller is the unit
Plans, billing, suspension, impersonation, and audit all happen at the Seller level. SellerUser is the teammate; promoting a user from VIEWER to ADMIN is one row change inside your tenant.
Multi-account, multi-marketplace
One Seller can run two AJIO POBs, one Meesho, two Amazon accounts. The unique constraint is (seller_id, marketplace_id, external_account_id). No code changes; multi-account is the product.
Super-admin with audit
When Robnu staff supports you, they act through ImpersonationSession. Every audited write captures actor_super_admin_id + impersonation_session_id alongside the seller_id. The trail is yours, not ours.
PII columns are encrypted with your seller's DEK.
Order.customer_name_enc, customer_phone_enc, customer_email_enc, address_enc are stored encrypted using a per-seller Data Encryption Key (DEK). The DEK is wrapped under your AWS KMS alias. Cleartext exists only inside the encrypt/decrypt path; never on disk.
SellerUser passwords are Argon2id hashed, sessions are JWT-cookie based with proper expiry, and rate-limiting is per-tenant. The full security overview lives at /security.
RBAC role catalog.
- OWNER — every permission, including billing + plan changes + user management.
- ADMIN — every product permission, no billing or plan-change rights.
- OPERATOR — daily operations: orders, shipments, returns, manifests; cannot resolve claims.
- FINANCE — payouts, reconciliation, claims-resolve, exports.
- VIEWER — read-only across the whole tenant.
Practical answers.
Yes during early access. When paid pricing launches, seat counts may be tied to plan tiers; sellers under 25 orders/day stay forever-free regardless.
Removing a SellerUser revokes their session immediately and prevents future sign-ins. Audit history they created is preserved (deletion would corrupt the trail).
Per-permission overrides per user are a planned settings surface. Today the five roles cover the common cases.
Try it inside your own dashboard.
Free during early access. No card. Forever free under 25 orders/day.