Role-Based Access Control (RBAC)

Written by Uday Kumar Updated

Overview

Auditoria uses Role-Based Access Control (RBAC) to manage what each user can see and do in the platform. Instead of granting permissions one by one, users are assigned roles that define their access to features, data, and administrative capabilities.

As a Super Administrator, you are responsible for assigning the correct roles so users have enough access to do their work, without exposing sensitive settings or data unnecessarily.

How RBAC works in Auditoria

At a high level, RBAC in Auditoria controls access in three ways:

  • Application access – Whether a user can sign in and open a given console or module.

  • Feature access – What actions a user can perform (for example, view only, create and edit, approve, manage configuration).

  • Data access – Which ERP or business records a user can work with, based on their assigned role and, where enabled, record‑level access controls.

RBAC roles are tenant‑specific. A user can have different roles in different tenants, depending on how your organization is structured.

Key Super Administration roles

The following roles are most relevant for Super Administrators and core finance operations:

  • SuperAdmin
    Grants full access to all Auditoria SmartFlow Skills configured on the tenant and their consoles. SuperAdmins can:

    • View and manage all modules (AP, AR, GL, and other enabled workflows)

    • Configure and modify SmartFlow Skills

    • Manage user accounts and assign RBAC roles

    • Manage mailbox connections and ERP / System of Record (SoR) connections
      This role should be limited to a small number of trusted administrators.

  • AP Helpdesk Roles (AP Helpdesk console)
    Designed for Accounts Payable teams working in the AP Helpdesk console:

    • AP Helpdesk Analyst – Access to AP Helpdesk mailbox, synced AP records, assigned tasks, and unassigned tasks; typically read‑heavy with limited configuration access.

    • AP Helpdesk Specialist – Analyst capabilities plus access to specific configuration areas such as Relaxed Matching.

    • AP Helpdesk Manager – Full AP Helpdesk access, including all tasks, reports, audit logs, and AP Helpdesk settings.

  • AR Helpdesk & Collections Roles (AR consoles)
    Used by Accounts Receivable teams:

    • AR Helpdesk Analyst – View, claim, and complete AR Helpdesk tasks and navigate synced AR records such as invoices and payments.

    • AR Helpdesk Manager – View, assign, and complete tasks; navigate all AR business objects; includes read‑only access to selected administration areas (for example, SmartFlow status, System Settings, Audit Logs).

    • Collections Agent / Collections Manager – Roles used in AR Collections workflows, controlling which customers and tasks users can see.

  • General Ledger (GL) Roles (SmartGL / Accruals)
    Designed for GL users:

    • GL Agent – View and edit journal entries, but cannot post entries back to the SoR or modify SmartFlow configuration.

    • GL Approver – View, edit, and post journal entries to the SoR.

    • GL Manager – Approver capabilities plus the ability to configure GL SmartFlow Skills and view administration areas.

    • GL Audit – Read‑only access for audit and compliance teams.

Your specific deployment may include additional roles (for example, P2P, Sales, or Treasury roles) that follow the same pattern: Analyst/Agent (operational work), Manager (oversight and configuration), and Audit/Viewer (read‑only).

RBAC vs. Record Access Control

RBAC controls what a user can do and which features they can open. In some deployments, you may also enable Record Access Control (RAC) to restrict which specific records a user can see based on your ERP or HR system (for example, Workday company or entity access).

  • Use RBAC to define user responsibilities (for example, SuperAdmin, AP Helpdesk Manager, Collections Agent).

  • Use RAC to align data visibility with your system of record (for example, only show entities or suppliers the user has access to in Workday).

From a Super Administration perspective, RBAC is the first layer you configure for every user; RAC and other data‑level controls can then be applied on top where required.

What this means for Super Administrators

When you add or update users, you will:

  1. Assign one or more roles that match the user’s day‑to‑day responsibilities.

  2. Limit SuperAdmin access to a small group of trusted administrators.

  3. Use Manager and Specialist roles for users who need configuration access without full system control.

  4. Use Analyst/Agent and Audit roles for operational users and auditors who should not change configuration.

The User Management section of this guide explains how to add users, assign roles, and update role assignments as your team changes.