Permissions control what actions an organization user can take within a specific domain. Each permission has a domain:action:scope key — permissions are assigned to roles, and roles are assigned to users. See the Roles guide for how to create roles and assign permissions.
Permission model
Permission keys follow a domain:action:scope pattern — for example, expense:read:org or payable:pay:self. The scope is either :org (all objects in the organization) or :self (the user’s own objects, plus their direct reports’ expenses). See Reporting manager for how direct-report relationships work.
write permissions cover create, update, and delete — and implicitly include read. read-only permissions are for roles that should see data but not change it.
Permissions reference
Users and roles
| Permission key | Description | System roles |
|---|
user:read:org | View all organization users | Admin |
user:write:org | Create and update organization users | Admin |
role:read:org | View roles and their permissions | Admin |
Organization
| Permission key | Description | System roles |
|---|
organization:read:org | View organization information and settings | Admin |
organization_settings:read:org | View organization-level configuration | Admin |
organization_settings:write:org | Update organization-level configuration | Admin |
Bank accounts
| Permission key | Description | System roles |
|---|
bank_account:read:org | View all bank accounts in the organization | Admin, Chief Financial Officer (CFO), Bookkeeper |
bank_account:write:org | Create and manage bank accounts | Admin |
external_bank_account:read:org | View external bank accounts linked to the organization | Admin |
external_bank_account:write:org | Add and manage external bank accounts | Admin |
external_bank_account:micro_deposit:org | Initiate micro-deposit verification for external bank accounts | Admin |
Counterparts
| Permission key | Description | System roles |
|---|
counterpart:read:org | View all counterparts | Admin, Chief Financial Officer (CFO), Bookkeeper |
counterpart:write:org | Create and update counterparts | Admin, Chief Financial Officer (CFO) |
Invoices (AR)
Invoice permissions cover the full accounts receivable surface: invoices, payment reminders, overdue reminders, delivery notes, products, and AR-side payment records.
| Permission key | Description | System roles |
|---|
invoice:read:org | View all invoices | Admin, Chief Financial Officer (CFO), Bookkeeper |
invoice:write:org | Create, update, and manage invoices | Admin, Chief Financial Officer (CFO) |
Payables (AP)
Payable permissions cover the full accounts payable surface: payables, purchase orders, credit notes, and AP-side payment records.
| Permission key | Description | System roles |
|---|
payable:read:org | View all payables | Admin, Chief Financial Officer (CFO), Bookkeeper |
payable:write:org | Create and update payables | Admin, Chief Financial Officer (CFO) |
payable:approve:org | Force-approve a payable, bypassing the normal approval workflow. Admin only. | Admin |
payable:pay:org | Execute payment of approved payables | Admin, Chief Financial Officer (CFO) |
Payment records
| Permission key | Description | System roles |
|---|
payment_record:read:org | View all payment records | Admin, Chief Financial Officer (CFO), Bookkeeper |
payment_record:write:org | Create and manage payment records | Admin, Chief Financial Officer (CFO) |
Expenses
Expense permissions cover transactions and receipts — read includes viewing receipts, write includes creating and updating them.
| Permission key | Description | System roles |
|---|
expense:read:org | View all expense transactions in the organization | Admin, Bookkeeper |
expense:write:org | Create and update all expense transactions in the organization | Admin |
expense:read:self | View the user’s own expense transactions, and those of their direct reports | Chief Financial Officer (CFO), Employee |
expense:write:self | Create and update the user’s own expense transactions, and those of their direct reports | Chief Financial Officer (CFO), Employee |
expense:approve:org | Force-approve an expense transaction, bypassing the normal approval workflow. Admin only. | Admin |
Transfers
| Permission key | Description | System roles |
|---|
transfer:write:org | Initiate a transfer between bank accounts the organization owns. Not the same as paying an external vendor — use payable:pay:org for bill payment. | Admin, Chief Financial Officer (CFO) |
Approval policies and requests
| Permission key | Description | System roles |
|---|
approval_policy:read:org | View approval policies | All |
approval_policy:write:org | Create, update, and delete approval policies | Admin |
approval_request:read:org | View approval requests. Admin: also used for cancelling requests via API — not used in components | All |
Accounting configuration
Accounting configuration permissions cover ledger accounts, tax rates, cost centers, tags, and projects.
| Permission key | Description | System roles |
|---|
accounting_config:read:org | View accounting configuration including ledger accounts and tax rates | Admin, Bookkeeper |
accounting_config:write:org | Create and update accounting configuration | Admin |
Exports
| Permission key | Description | System roles |
|---|
export:read:org | View and download data exports | Admin, Bookkeeper |
export:write:org | Create and manage data exports | Admin, Bookkeeper |
