Role summary
| Admin | Platform administrators — full access including settings, integrations, form designers, job creation |
| Writer | Power users who manage all operational data but do not configure the tenant |
| Reader | Read-only access to operational data |
| View Only Admin | GMs, board reporters, auditors — read-only across everything including settings & integrations |
| HR | HR teams managing employee lifecycle |
| Investigations | AML/compliance analysts running checks and contributing to investigations |
| Duty Manager | Front-of-house staff completing forms and triggering screening from a workspace |
Permissions matrix
Legend: ✅ = Full · 👁 = Read-only · ✏️ = Limited · ❌ = None
| Capability | Admin | Writer | Reader |
View Only Admin |
HR | Investigations |
Duty Manager |
|---|---|---|---|---|---|---|---|
| Sign in to the app | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
| Entities — view detail pages | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ❌ |
| Entities — list / browse | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✏️¹ |
| Entities — view relationships | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
| Entities — create / update / delete | ✅ | ✅ | ❌ | ❌ | ✅ | ❌ | ❌ |
| Entities — add / remove tags | ✅ | ✅ | ❌ | ❌ | ✅ | ✅ | ❌ |
| Entities — add files / attachments | ✅ | ✅ | ❌ | ❌ | ✅ | ❌ | ❌ |
| Entities — run evaluation | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ |
| Entities — view evaluation input | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ❌ |
| Identity research (manual lookups) | ✅ | ✅ | ❌ | ❌ | ❌ | ✅ | ❌ |
| Companies — read | ✅ | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ |
| Companies — create / update / delete | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ |
| Activity logs — view | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ❌ |
| Activity logs — create | ✅ | ✅ | ❌ | ❌ | ✅ | ✅ | ❌ |
| Activity logs — update / delete | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ |
| Activity log type management | ✅ | ✅ | 👁 | 👁 | 👁 | 👁 | ❌ |
| Workspaces — view | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
| Workspaces — create / update / change state | ✅ | ✅ | ❌ | ❌ | ✅ | ✅ | ✅ |
| Workspaces — delete / undelete | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ |
| Workspaces — generate magic link | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ |
| Forms — view definitions | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
| Forms — fill in / submit / update | ✅ | ✅ | ❌ | ❌ | ✅ | ✅ | ✅ |
| Form definitions — create / edit / clone / delete | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ |
| Files — view / download | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
| Files — upload | ✅ | ✅ | ❌ | ❌ | ✅ | ✅ | ✅ |
| Files — delete | ✅ | ✅ | ❌ | ❌ | ✅ | ✅ | ❌ |
| Notes — view | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
| Notes — create / update / delete | ✅ | ✅ | ❌ | ❌ | ✅ | ✅ | ✏️ |
| Documents — view | ✅ | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ |
| Documents — create / update / delete | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ |
| Tags — view tag types & definitions | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
| Events — view | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ❌ |
| Events — record (UI telemetry)² | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ |
| Job: Onboard Individual — read | ✅ | ✅ | ❌ | ✅ | ❌ | ✅ | ❌ |
| Job: Onboard Individual — run | ✅ | ✅ | ❌ | ❌ | ❌ | ✅ | ❌ |
| Job: Verify Individual — read & run² | ✅ | ✅ | 👁 | 👁 | ✅ | ✅ | ✏️² |
| Job: Risk Rating — read & run² | ✅ | ✅ | 👁 | 👁 | ✅ | ✅ | ✏️² |
| Job: PEP / Sanctions — read & run² | ✅ | ✅ | 👁 | 👁 | ✅ | ✅ | ✏️² |
| Job: ID Verify — read & run² | ✅ | ✅ | 👁 | 👁 | ✅ | ✅ | ✏️² |
| Job: KYB Profile Generation — read & run² | ✅ | ✅ | 👁 | 👁 | ✅ | ✅ | ✏️² |
| Job: Company Screening — read | ✅ | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ |
| Job: Company Screening — create & run | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ |
| Create new job definitions (any type) | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ |
| Tenant settings — view (UI / risk levels / custom fields) | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
| Tenant settings — edit (UI, risk rating, custom fields, CEL) | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ |
| Integrations — view | ✅ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ |
| Integrations — edit | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ |
| ConnectID (start auth, retrieve tokens) | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ |
| Truuth (create verification session) | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ |
| Automations — list / view | ✅ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ |
| Automations — run / cancel | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ |
Key behavioural notes
- Duty Manager cannot view an entity profile. They see the entity list (so they can pick a subject when starting a workspace) and can see relationships within the workspace, but the entity detail page is blocked.
- HR can manage entity records but cannot run the Onboard job and cannot finalise an evaluation. HR can run all other screening checks (Verify, Risk Rating, PEP/Sanctions, ID Verify, KYB).
- Investigations can run every job (including Onboard) and can tag entities and run Identity Research, but cannot create or edit entity records — keeping the record-of-truth separate from the people running checks against it.
- View Only Admin is the most powerful read-only role — it sees integration settings and automation history, which Reader does not. Use this for board reporting and audit, not for everyday users.
- Admin is the only role that can change tenant configuration (settings, custom fields, form definitions, integrations, and creating new job definitions).
Footnotes
¹ Duty Manager can list entities (needed to pick a subject when creating a workspace) but cannot open an entity detail page. Restricting which fields are returned in the entity list is planned for a future release.
² While the permission exists, the functionality currently does not. This is planned for a future release.
Comments
0 comments
Article is closed for comments.