Reference
RBAC permission matrix — what each role can do
Default permission grants per role. Three scope levels: self / department / all. ~150 module.action permissions across 18 modules. This is the firm's starting point — customise via Settings → Roles & Permissions.
The 9 default roles + hierarchy
| Role | Hierarchy | Pay grade analogy |
|---|---|---|
| super_admin | 1 | System administrator |
| partner | 10 | Engagement partner / equity partner |
| manager | 20 | Audit manager / department head |
| admin_staff | 35 | Admin coordinator |
| accountant | 40 | Finance officer |
| senior_auditor | 30 | Senior associate |
| staff_auditor | 50 | Staff associate / trainee |
| read_only | 90 | External reviewer / regulator |
| portal (future) | 99 | Reserved for client portal |
Module-by-module summary
| Module | Default access pattern |
|---|---|
| M00 Auth | All authenticated users |
| M01 Users | super_admin (full) · partner (view + create) · others none |
| M02 Dashboard | All; widgets RBAC-filter individually |
| M03 Leads | super_admin/partner all · admin_staff/accountant all · manager dept · auditors view · read_only view |
| M04 Clients | super_admin/partner all · admin_staff all · manager dept · auditors assigned · read_only view |
| M05 Templates | super_admin/partner/admin_staff full · manager view+clone · others view |
| M07 Jobs | super_admin/partner all · admin_staff all · manager dept · auditors assigned · read_only view |
| M08 Tasks | Inherits job RBAC |
| M09 Expenses | self for own; manager dept for review; finance/partner approve |
| M10 Quotes | super_admin/partner/admin_staff/accountant full · manager dept · others view |
| M11 Invoices | see chapter 11 detailed table |
| M12 Bank Recon | super_admin/partner/accountant/admin_staff full · others view |
| M13 HR | super_admin/partner all · admin_staff most · manager dept · auditors self · read_only view |
| M15 Reports | per-report; inherits source-module visibility |
| M16 File Vault | see chapter 15 detailed table |
| M17 Communications | super_admin/partner/admin_staff full · others view own |
| M18 Settings | super_admin all · partner most · others none |
| M19 Workpapers | per-stage gating; super_admin all 11 perms · read_only view+export |
| M20 Compliance Cal | super_admin/partner all · admin_staff/accountant view+create+update · manager dept · auditors view assigned · read_only view |
Scope semantics
| Scope | Meaning |
|---|---|
| self | Only rows where user_id = current user |
| assigned | Only entities where current user is in the team_members or primary_manager / etc. |
| department | Only entities owned by current user's department + sub-departments |
| all | No filter — entire firm |
| — | No access |
Customisation flow
Settings → Roles & Permissions
Pick a role
Edit grants
Per-permission scope dropdown. Bulk select all/none per module.
Save
Audit-logged. Currently-logged-in users with that role get session_regenerate_id on next request (privilege change).
Common customisation patterns
- Tax-only firm — disable M19 audit-specific permissions for managers; they don't need to see workpapers
- Bookkeeping-heavy firm — grant accountants M07.update on assigned jobs (they edit BK job tasks)
- Multi-partner firm — each partner sees only their book; restrict
m04.viewto scope=assigned not all - Junior trainee role — clone staff_auditor → restrict to checklist-tick-only (no AJE creation, no review-point raising)
Auditing role changes
Every grant change writes audit_logs.action = m02.role_permission.update with before/after JSON. Quarterly review of role-permission changes is part of the security review (chapter 23).