Artifi
Docs/System & Configuration/Roles & Permissions

Roles & Permissions

Role-based access control with granular permissions, entity scoping, custom roles, and team invitation flows

9 min read

Overview

Artifi uses a two-layer access model to control what users can do:

  1. Membership level — Controls access to the admin dashboard (team management, settings, API keys)
  2. Permission roles — Controls accounting operations (AR, AP, GL, reporting) via conversational tools

These are independent: a user can be a "Viewer" membership (read-only dashboard) but have the "Controller" permission role (full accounting access through Claude).

Membership Levels

Membership determines what a user can do in the admin dashboard.

LevelDescription
OwnerFull organization control. Cannot be removed. Automatically assigned to the organization creator.
AdminCan manage team members, settings, and API keys.
MemberStandard dashboard access. Can view data and use assigned features.
ViewerRead-only access to the dashboard.

The Owner level is not selectable when inviting new users -- it is exclusively for the organization creator.

Auto-Provisioned Users

When a new user connects via Claude.ai for the first time, they are automatically provisioned as an Owner with full Admin permissions and a complete database schema. No invitation is needed. See the Authentication guide for details.

Permission Roles (RBAC)

Permission roles control what accounting operations a user can perform. Artifi includes 6 built-in system roles that cannot be modified:

RoleKey Permissions
AdministratorFull system access (admin:*)
ControllerFull accounting read/write, AR, AP, master data, reports
AP AccountantAP read/write, master data management, accounting read
AR AccountantAR read/write, master data management, accounting read
AuditorRead-only access to accounting, AR, AP, master data, reports, and audit logs
InvestorReports read-only

Permission Groups

Permissions follow the format category:action. A wildcard (category:*) grants all actions within a category.

Admin

PermissionDescription
admin:readView organizations, users, API keys, and audit logs
admin:writeCreate or update organizations, users, and API keys
admin:deleteDelete users, revoke API keys, or remove integrations
admin:*Full administrative control

Accounting

PermissionDescription
accounting:readView general ledger accounts, balances, and periods
accounting:writeCreate or edit general ledger accounts and settings
accounting:postPost journal entries to the ledger
accounting:closeClose fiscal periods and manage period status

Accounts Receivable

PermissionDescription
ar:readView customer invoices, aging, and AR balances
ar:writeCreate and edit customer invoices and credit memos
ar:postPost AR transactions to the general ledger
ar:voidVoid AR transactions and reverse posted activity

Accounts Payable

PermissionDescription
ap:readView vendor bills, aging, and AP balances
ap:writeCreate and edit vendor bills and credit memos
ap:approveApprove bills for payment processing
ap:postPost AP transactions to the general ledger
ap:voidVoid AP transactions and reverse posted activity

Payments

PermissionDescription
payments:readView customer and vendor payments, including bank activity
payments:writeCreate and edit payments
payments:approveApprove payments for processing or release
payments:voidVoid or reverse payment activity

Master Data

PermissionDescription
master_data:readView master data such as customers, vendors, and accounts
master_data:writeCreate or edit master data records
master_data:deleteDelete or deactivate master data records

Dimensions

PermissionDescription
dimensions:readView dimension types, hierarchies, and assignments
dimensions:writeCreate or edit dimension values and relationships
dimensions:deleteRemove dimension values or assignments

Reporting, Configuration, and Audit

PermissionDescription
reports:readView financial statements and operational reports
config:readView legal entity configuration and system settings
config:writeModify configuration such as legal entities or tax codes
global_ids:readView global customer and vendor records
global_ids:writeManage global customer and vendor associations
audit:readView audit trail and activity logs

Entity Scoping

Both membership and permission roles support entity scoping, allowing you to restrict access to specific legal entities.

Membership Entity Access

  • All entities — User can access all legal entities (default)
  • Specific entities — User can only access listed entity IDs

Role Entity Scoping

  • All entities — Role applies across all entities (default)
  • Specific entities — Role only applies to listed entity IDs

A user can have the same role assigned multiple times with different entity scopes. For example:

  • Controller role scoped to Entity 1 (US operations)
  • AR Accountant role scoped to Entity 2 (UK operations)

Custom Roles

Organizations can create custom roles combining any permission groups.

Properties

  • Unique name within the organization (slug format: lowercase alphanumeric + underscores)
  • Can be activated or deactivated (deactivating removes the role from all users)
  • Can be edited (description and permissions)
  • Cannot reuse system role names

Creating Custom Roles

Navigate to Team > Roles > Create Role in the admin dashboard. The form presents permission group checkboxes organized by category, making it easy to compose the exact permissions needed.

Invitation Flow

Team invitations use a token-based email flow for secure onboarding.

Lifecycle

  1. Admin sends invite — Fills the invite form with email, name, membership level, entity access, and permission roles. An invitation email is sent with an "Accept Invitation" link.

  2. Recipient clicks link — The link validates the token, checks expiry (7 days), and redirects to the sign-up flow with a pre-filled email address.

  3. Auth callback — After signing up or logging in, the system creates the user account, sets up organization membership with the specified entity access, and applies the assigned permission roles.

  4. Pending display — Pending invitations appear in the team members list with an "Invited" status badge. Admins can revoke pending invitations at any time.

  5. Re-invite — Sending a new invitation to an email with a pending invite replaces the old one with a fresh token and email.

Partner Organization Invitations

For partner organizations, the invite form includes a "Client organization access" section. This lets the admin grant the invitee access to selected client organizations in a single step:

  • Each client organization can have its own membership level
  • All invitations share the same token -- the accept flow processes all linked invitations at once
  • Only one email is sent (for the partner organization)

Partner Role Propagation

When a new client organization is created under a partner, all users from the partner organization are automatically given access to the new client organization. Their membership level in the client matches their level in the partner (owner stays owner, admin stays admin, etc.).

Role Downgrade Protection

When accepting an invitation, the system checks if you already have a higher membership level in the target organization. If so, the existing level is preserved -- accepting an invite as "member" will not downgrade an existing "admin" or "owner".

Priority order: owner > admin > member > viewer

Linked Employees

Team members can be automatically linked to employee records. When a user account matches an employee record, the team list displays the linked employee's ID and name.

This enables role-to-employee coordination -- for example, ensuring an employee who handles AP is assigned the ap_accountant role.

Admin Dashboard Pages

PagePurpose
TeamMembers list (active + invited) with role details and actions
Team > InviteFull invitation form with membership, entity access, and role assignment
Team > Edit MemberUpdate membership level, entity access, and role assignments
Team > RolesRole catalog showing system and custom roles
Team > Create RoleCustom role creation with permission group checkboxes
Team > Edit RoleModify custom role description and permissions

Summary

  • Two-layer model: Membership controls dashboard access; permission roles control accounting operations
  • 6 built-in roles: Administrator, Controller, AP Accountant, AR Accountant, Auditor, Investor
  • 11 permission categories: Admin, Accounting, AR, AP, Payments, Master Data, Dimensions, Reporting, Configuration, Global IDs, Audit
  • Entity scoping: Restrict any role to specific legal entities
  • Custom roles: Compose your own permission combinations
  • Token-based invitations: Secure email flow with 7-day expiry
  • Partner support: Multi-organization invitations and automatic role propagation
← PREVIOUSAuthenticationNEXT →Tools Reference