The Two Built-In Roles
Agatabo ships with two protected roles that exist in every organization. You cannot delete or rename them, though a system Administrator can adjust the Member role’s default permissions.Protected roles cannot be deleted. The Administrator and Member roles are permanent fixtures of every Agatabo organization. If you need to restrict a specific person’s access, remove their role assignment or deactivate their account — do not attempt to modify the Administrator role itself.
Administrator
The Administrator role grants full access to the entire organization withANY scope on every permission. Administrators can manage users, record all types of transactions, configure settings, close accounting periods, and view audit logs. Assign this role sparingly — ideally to one or two trusted individuals who are responsible for the organization’s operations.
Member
The Member role grants read-only access to the user’s own financial data. By default, a member can view their own savings balance, deposit history, loan details, and dividend distributions — but cannot view other members’ data or record any transactions. Your administrator can customize the Member role’s permissions to fit your organization’s specific policies. Default Member permissions (all withSELF scope):
| Permission | What It Allows |
|---|---|
organization_users:read | View own profile and account details |
savings:read | View own savings balance and deposit history |
loans:read | View own loans and repayment schedule |
dividends:read | View own dividend distributions |
Assigning the Member role creates a savings account. The moment you assign the Member role to a user, Agatabo automatically creates a savings ledger account for them. This account tracks all of their deposits, withdrawals, and balance.
Custom Roles
Beyond the two built-in roles, you can create any number of custom roles to match the operational structure of your organization. Custom roles can be edited or deleted at any time (they are not protected). Common custom roles used by Agatabo organizations:| Role | Typical Responsibilities |
|---|---|
| Treasurer | Records deposits, manages cash and bank accounts, closes periods |
| Loan Officer | Creates loans, records repayments, manages guarantors |
| Accountant | Generates reports, accesses the general ledger, manages expenses |
| Secretary | Manages user records and communications |
Permission Scopes: SELF vs. ANY
Every permission in Agatabo carries a scope that defines whose data it applies to. SELF scope restricts the user to their own records only.
A member with savings:read (SELF) can view their own deposits but cannot see what anyone else has saved.
ANY scope grants access to all members’ data within the organization.
A treasurer with savings:write (ANY) can record deposits for every member in the organization.
When assigning permissions to a custom role, choose SELF for roles that should only see personal data and ANY for operational roles that need organization-wide visibility.
How Multiple Roles Combine
Users can hold multiple roles simultaneously. When they do, Agatabo combines all permissions from all roles using two straightforward rules:- Permissions are additive. A user receives every permission from every role they hold. Holding more roles always means more access, never less.
-
The most permissive scope wins. If one role grants
savings:read (SELF)and another grantssavings:read (ANY), the user effectively hassavings:read (ANY).
Available Permission Categories
The following table lists all permission categories available in Agatabo. Each category supports:read and :write actions; some support additional specialized actions such as :approve, :close, or :assign.
| Category | What It Controls |
|---|---|
organization_users | View and manage user profiles, invitations, and account status |
organization_user_roles | Assign and remove roles; create and configure custom roles |
savings | View and record member deposits and withdrawals |
loans | View, create, disburse, and manage member loans |
expenses | View and record organizational expenses |
assets | View and manage fixed assets |
bank_accounts | View and manage cash and bank accounts |
reserves | View and manage reserve funds |
dividends | View dividend pools and distribute profits to members |
reports | Generate and download financial reports |
ledger | Access the general ledger and manual journal entries |
settings | Configure organization-wide settings |
periods | Close accounting periods |
audit_logs | View the system audit trail |
Checking Your Own Permissions
You do not need to ask your Administrator what you are allowed to do. Agatabo automatically hides menu items and buttons that your roles do not permit. If a feature is visible in the sidebar, you have at least read access to it. If a button to perform an action is missing or greyed out, you need an additional permission. To understand your exact permissions:- Look at the navigation. You only see sections you have access to.
- Try the action. If you lack the required permission, Agatabo shows a clear error message naming the missing permission.
- Ask your Administrator. They can view your assigned roles and explain what each one grants.
Security best practice: Assign the minimum permissions necessary for each role. Review user role assignments at least quarterly, remove roles that are no longer needed, and limit the Administrator role to one or two trusted individuals.
Need Help?
Managing Users
Learn how to assign and remove roles from existing users.
Inviting Users
Add new members and staff and set up their initial roles.