How to use roles to manage what resources and actions users are allowed to interact with
Modern Treasury segments a user’s ability to access resources or execute specific actions through a roles based authorization system. A user may belong to many roles within an organization, and they may access all resources and perform all actions allowed by the combined set of roles assigned to the user.
Where to find Roles?
Roles are accessed through the “Roles” link under the “Settings” menu on the sidebar.
How Permissions are Divided
There are four permission domains: Organization Level Permissions, Developer Permissions, Counterparty Permissions and Account Permissions.
Each permission domain grants a user specific access into Modern Treasury. You can assign the following levels to each permission:
- "Manage and Edit Access" - Users can create or edit resources in this domain.
- "View Only Access" - Users can only view the resources.
- "No Access" - Users cannot even see the resources.
See below for a list of the resources within each domain.
Organization Level Permissions
Organization Level Permissions allow for a user to have insights into the setup for Modern Treasury. With this level, there is visibility into
- Organization Settings, which include aspects like the organization’s name, email settings, NSF protection
- User and Role Management. For users with manage and edit access, they can create, update, and delete users and roles.
- Approval Rules for payment orders
- Notification Management
- Audit Trail Access
We recommend Admins of Modern Treasury have Manage and Edit access to the Organization Level Permissions.
Developer Permissions allow for a user to have insights into API Keys and Configuration, Webhooks, Events, and API Logs.
Counterparty Permissions allow for a user to have access to the creation of counterparties and to the counterparty external accounts. This permission should be assigned to those setting up customers to be paid or charged.
Accounts Permissions allows a user to have access to their organization’s bank accounts. With this permission, a user will be able to view and manage payment orders, account balances, transactions, expected payments, paper items, and returns. You also have the ability to approve payment orders for accounts you have access to.
A role can be granted access to all accounts. The benefit of this setup is that when future accounts are added, the role will also have access. However, if you want to only grant access to certain accounts, that can be configured as well.
A user can create and approve payment orders out of an account so long as they have “Manage, Review and Edit” permissions on the specific account associated with the payment order. If they created the payment order, however, they will not be able to approve their own payment order. The only way to override this behavior is described below under “Overriding the Approval Queue”.
As of March 2020, we created default roles to make permissioning a bit easier. These are a great place to start as you evaluate the users on the team and how to set the proper rules.
- Administrators: Manage and Edit access for all permissions
- Developers: Manage and Edit access for Developer Settings, Counterparties and Accounts, View Only access for Manage Organization
- Finance: View Only access for Manage Organization, No Access for Developer Settings, Manage and Edit Access for Counterparties and Accounts
Overriding the Approval Queue
If a user has the “Manage and Edit” permission level on the organization, they are allowed to approve any payment order, even if they create it themselves. Although we typically don’t recommend setting up your roles this way, it can be beneficial if you are a small company or want a particular type of user (i.e. your CEO) to be able to bypass the rules. These actions will still be tracked.
Viewing Paper Items and Returns Without an Internal Account
Modern Treasury may import data about a Return or Paper Item that reference a bank account that Modern Treasury is not linked to at the bank. In these cases, a user may view the created Return or Paper Item object if that user has at least the global “View Only” permission on the Accounts domain.