Absolute must to limit the access to exports of sensitive customer data. Our users need access to the Customer data for their day to day role but have no requirement to ever export this data out to a file.

Task management needs to be a permission too. Now anyone can view, edit and manage tasks and that should be separate from other permissions.

A Client suggested not to go too granular as Role Creation in Mews is one of the simplest they have encountered to date - there was a system where they had to worry about 500+ permissions and that can be quite a list to go through.

Merging should be an specific permission due to data security!

This creates real operational problems because, for example, in order for a housekeeper to create a housekeeping task on a reservation, we have to grant the “create and manage reservations” permission. However, this permission includes access to guest details (first name, last name, phone number, credit card, etc.). Some guest data is sensitive (such as payment information), and housekeeping or maintenance staff should not have access to certain data.

I’d like to raise a potential security issue in Mews. In the user role settings, there is currently no option to prevent the download of client reports while still allowing access to guest contact details within individual reservations. While it is possible to restrict access to "sensitive reports" such as financial or management reports, the most sensitive report is arguably the client database, as this is what hackers typically target and download to launch phishing or cyberattacks.

A receptionist should not be able to export the entire client database to Excel, especially considering that many hotels rely on temporary staff (extras) who may only work a few hours. These temporary workers could easily download the report and sell it on the dark web, or unknowingly fall victim to phishing emails disguised as Mews communication.

This presents a significant risk for hoteliers, even when using two-factor authentication and endpoint protection (EDR).

It’s also important to point out that if we remove the “Access to clients” permission, receptionists can no longer view any client contact information at all — which is not practical for day-to-day operations.

In my view, reception staff should be able to view client contact details in Mews, but should not have permission to export reports that contain client data.

This kind of access control would greatly improve data security and better align with data protection regulations such as GDPR.

Bien

Bueno

Exelente

In our operational areas, it is often crucial to see the complete timeline, but it is not possible to assign it by just view

Currently the operation we have in mews requires that other users have access to the view-only timeline without moving any of the settings or view access elsewhere.

Currently I have this permission which gives me the option to view the timeline but gives me more access to other functions which is what I want to avoid “Create and manage customers and companies”.
As such it is fine but I would like a more limited permission that does not let you enter to see the guest data, if not only see the TIMELINE more than anything.

Currently the operation we have in mews requires that other users have access to the view-only timeline without moving any of the settings or view access elsewhere.

Currently I have this permission which gives me the option to view the timeline but gives me more access to other functions which is what I want to avoid “Create and manage customers and companies”.
As such it is fine but I would like a more limited permission that does not let you enter to see the guest data, if not only see the TIMELINE more than anything.

Currently the operation we have in mews requires that other users have access to the view-only timeline without moving any of the settings or view access elsewhere.

Currently I have this permission which gives me the option to view the timeline but gives me more access to other functions which is what I want to avoid “Create and manage customers and companies”.
As such it is fine but I would like a more limited permission that does not let you enter to see the guest data, if not only see the TIMELINE more than anything.

Hello!
We're happy to announce that we're currently working on a new permissions system.
This new system is more granular and very extensive, allowing actions like the one mentioned above and more.
We expect to have it ready by Quarter 3 of 2025, and you'll be able to configure all the permissions available in the product per role.

great idea and critical to protect our guest data from phishing

Yes please!

Great Idea. Would be very helpful to have this as a permission to add for user roles.

give a user rights to see the time line, without the rights to modify guest and see guest reports

As one of the individual permissions, give the option to restrict exporting reports. With the current phishing attempts it is very important to limit who can export reservations reports.

If there are certain rules such as a minimum stay of 5 nights. For a room, for example, two nights are free. It would be good if certain positions (management) could still make bookings and override these rule