Purpose: This document outlines the permission roles available in the Custodia platform and what each role allows. Roles may be customized per tenant, so this should be used as a baseline reference.
Spend Profiles
Every employee can be assigned to one or more Spend Profiles. Each profile is tied to a unique Expense Policy that controls spending behavior. You can manage profiles and their rules via the Policy Manager.
Profiles are created and managed from My Organization > Org Structure > Roles & Spend Profiles
Permission Roles
ADMIN
Overview
- Access to most screens in the UI
- Cannot modify anything related to finance
- Transactions
- Activities
- Statements
- Admins can create new users and grant role access (such as the FINANCE role) to other users.
- Admin only users cannot see private transactions on hybrid cards.
ACTIVITIES MANAGER
Overview
- Can create new spend permissions (activities) for employees
- Activities still follow configured approval workflows
ACTIVITY TEMPLATE MANAGER
Overview
-
- Users with this role will have read-only access to the Activity Template settings
- This role should only be granted to admin or finance users
APPROVER
Overview
- Can be defined as the approver of an employee.
- Can approve activities and out-of-pocket requests.
- Requires TEAM MANAGER role for full team functionality
BULK-ACTIVITY APPROVERS
Overview
-
Approve bulk or group activity requests
-
Cannot approve individual activity requests
AUDITOR
Overview
- Read-only access to data across the entire organization (including all subsidiaries).
- This role will override any other roles that a user has (for example, if a user is an admin and an auditor, the user will still only have read-only access).
BALANCE UPDATER
Overview
-
Can use credit/debit functionality to modify activity balances
-
Should be limited due to financial implications
BUDGET OWNER
Overview
- Access to view budgets that the user owns.
- Access to analytics reports associated to budgets that the user owns.
- Access to all activities associated with a budget that the user owns.
- Access to all expenses associated with a budget that user owns.
BUSINESS PARTNER
Overview
- Access to the company help desk for all companies managed by the business partner.
- Access to the employee help desk for all the employees that are indirectly managed by the business partner through the companies they manage.
- Certain changes can be made
- Updating employee details
- Updating cost center details
- Updating team deatils
- Anything related to financial data cannot be changed
- Activities cannot be updated
- Credit limits cannot be changed
BUSINESS PARTNER READ-ONLY
Overview
-
Same access as BUSINESS PARTNER
-
No ability to make changes
CARD ISSUER ADMINS
Overview
- Users with this role have the ability to create new companies associated with an issuer.
- Users can grant card products to new tenants.
- Users can view all transactions associated with the issuer
- Access to the company helpdesk for all tenants with issuer related cards
- Access to employee helpdesk for all users with issuer related cards
*PLEASE NOTE* card issuers do not have access to users that do not have issuer related cards or issuer related transactions by default.
CARD ISSUER SUPPORT
Overview
- Same level of access as Card Issuer Admin, but no changes to tenants can be made (read-only access).
COMPLIANCE
Overview
-
Users with this role get an email whenever there is a secure role change within the organization. These roles include:
- ACTIVITIES MANAGER
- ADMIN
- AUDITOR
- BALANCE UPDATER
- BUSINESS PARTNER
- BUSINESS PARTNER READ ONLY
- CARD ISSUER ADMINS
- CARD ISSUER SUPPORT
- COMPLIANCE
- HR ADMIN
- IMPERSONATOR
- PII
- SUPER PII
- SECURITY
- SYSTEM-WIDE APPROVERS
- TEAM MANAGER
DISABLE EXPENSE EDIT
Overview
-
Prevents users from editing expenses
Overview
- Can approve expenses accessible via other roles (e.g., TEAM MANAGER)
- Users with this role have the responsibility of approving expenses, ensuring that they comply with company policies, budgets, and any relevant financial guidelines
EXPENSES REVIEWER
Overview
-
Full view and edit access to all transactions
-
Can message users about transactions
-
Can view all statements
Overview
- Same access as EXPENSES REVIEWER except no changes can be made.
TEAM EXPENSES REVIEWER
Overview
- Same access as EXPENSES REVIEWER
- Access limited to team data only
FINANCE
Overview
-
Can view all financial related data
- Expenses
- Activities
- Statements
-
Can modify all policy related information
- Cost centers
- Chart of Accounts
- Classes
- Cannot see private transactions (requires SUPER PII)
- This role is required for transaction simulation
HR ADMIN
Overview
- Can add/view users
- No access to transactions or financial data
IMPERSONATOR
Overview
-
Can impersonate users they have access to
-
Use should be limited due to elevated access
PII
Overview
- Can view PII data on employee profiles
- Phone
- Username (when defined as PII)
- Can view private hybrid card transaction data --- without merchant info but can see Custodia declines.
SUPER-PII
Overview
- This role allows you to see the full transaction details of a private transaction
- including the merchant name
RECEIPTS EMAIL DL
Overview
- Users with this role will be CC'd on any emails that are sent to users that are missing a receipt.
SYSTEM WIDE APPROVER
Overview
-
Can approve any activity or out-of-pocket request
-
Bypasses all approval workflows
Please note: This user will not receive request notifications, but will have access to approve upon logging into the platform
TEAM MANAGER
Overview
-
Full access to their team’s:
-
Transactions
-
Activities
-
Employee details
-
-
Approvals possible when paired with APPROVER role
-
Access to “My Team” section of the UI
TECH ADMIN
Overview
- Can configure technical integrations:
-
Accounting Systems
- NetSuite
- Priority
- Microsoft Dynamics
- QuickBooks
-
OAuth
- Office 365
-
Accounting Systems