Quick reference
| Role | Use it for | Key limits |
|---|---|---|
| Admin | Platform configuration, user management, integrations | No limits — full access. Keep this role to one or two people. |
| View Only Admin | GMs, board reporters, auditors | Read-only, including settings and integrations. Cannot change anything. |
| Writer | Power users managing all operational data | Full access to records and checks. Cannot configure the tenant. |
| Investigations | AML analysts and compliance investigators | Can run all checks including Onboard, tag entities, and run identity research. Cannot create or edit entity records. |
| HR | HR teams managing employee lifecycle | Can manage entity records and run most checks. Cannot run Onboard or entity evaluation. |
| Reader | Junior staff who need read access only | Read-only access to operational data. Cannot see settings or integrations. |
| Duty Manager | Front-of-house staff at clubs and venues | Can create workspaces and fill in forms. Cannot view entity detail pages, activity logs, or run checks. |
The principle
Pick the lowest-privilege role that lets the user do their job. Over-provisioning is the most common access-control mistake — and one of the easiest to avoid at invitation time.
Decision guide
Common mistakes
- Giving everyone Admin "to be safe." Don't. It creates audit trail problems and puts your tenant configuration at risk.
- Giving auditors Reader instead of View Only Admin. Reader cannot see settings or integrations. View Only Admin is the right role for board reporting and audit access.
- Giving compliance investigators Writer instead of Investigations. Writer can edit entity records, which compromises the separation between data and investigation.
Changing a user's role later
Role changes are made by the BNDRY team. To request one, contact your BNDRY contact with the user's full name, email, and the role you'd like them moved to. You'll receive confirmation once it's done.
If someone moves roles within your organisation — for example from Investigations to Writer — request a role change rather than deactivating and re-inviting them. Their activity history stays clean and attributed.
Comments
0 comments
Article is closed for comments.