Controls

Role Access Matrix

Baseline ERP-owned capability model for finance roles. Owner-only user management and auth-provider wiring can build on this matrix without changing the control vocabulary.

Roles

seeded ERP roles

Role grants

capability assignments

Sensitive grants

restricted capabilities

Data mode

database

3 broad-access roles

Role Capability Grants

Audit trail

ap user

Standard access

ap_user has no sensitive capabilities.

3 total | 0 sensitive

ap.managecash_forecast.manageledger.read

ar user

Standard access

ar_user has no sensitive capabilities.

3 total | 0 sensitive

ar.managecash_forecast.manageledger.read

external finance admin

Broad sensitive access

external_finance_admin has 6 sensitive capabilities.

12 total | 6 sensitive

sensitive: cost_rates.read_sensitivesensitive: ledger.postsensitive: payroll.read_sensitivesensitive: period.closesensitive: period.reopensensitive: reports.publish_snapshotap.managear.managecash_forecast.manageimports.reviewledger.readmappings.manage

finance admin

Broad sensitive access

finance_admin has 6 sensitive capabilities.

12 total | 6 sensitive

owner

Broad sensitive access

owner has 7 sensitive capabilities.

13 total | 7 sensitive

sensitive: cost_rates.read_sensitivesensitive: ledger.postsensitive: payroll.read_sensitivesensitive: period.closesensitive: period.reopensensitive: reports.publish_snapshotsensitive: users.manageap.managear.managecash_forecast.manageimports.reviewledger.readmappings.manage

read only consultant

Standard access

read_only_consultant has no sensitive capabilities.

1 total | 0 sensitive

ledger.read

Control Note

External finance admins intentionally have broad accounting access in V1, but `users.manage` remains owner-only. Sensitive reads and self-approvals are visible in the audit trail for periodic review.