Skip to main content
Understanding Agatabo’s permission system lets you configure each staff member’s access precisely — giving them everything they need to do their job and nothing more. This page documents every permission, the scope rules that govern them, and the five standard role configurations most organizations use.
Agatabo ships with two protected rolesadmin and member — that cannot be deleted. The Administrator and Member configurations below reflect these built-in roles. The Treasurer, Loan Officer, and Accountant configurations are recommended custom roles that you create and name according to your organization’s structure.

Permission Format

Every permission in Agatabo follows the pattern: 
resource:action
Examples:
  • savings:write — permission to create and modify savings records
  • loans:read — permission to view loan information
  • organization_users:write — permission to invite and manage members

Scopes

Every permission can be granted at one of two scopes:
ScopeEffect
SELFThe user can only access their own data (their own savings, their own loans, their own profile)
ANYThe user can access all data within the organization
When a user holds the same permission at both scopes (e.g., from two different roles), ANY always wins. See Permission Inheritance for details.

Complete Permissions Reference

Organization Users

PermissionScopeWhat It Controls
organization_users:readSELFView own profile — name, email, phone, join date, assigned roles
organization_users:readANYView all members — member list, profiles, contact information, join dates
organization_users:writeANYManage members — invite new members, edit profiles, deactivate accounts
organization_user_roles:writeANYAssign and revoke roles — grant or remove any role from any organization user

Savings & Deposits

PermissionScopeWhat It Controls
savings:readSELFView own deposit history and current savings balance
savings:readANYView all members’ deposits, savings balances, and transaction history
savings:writeANYRecord deposits and withdrawals, edit unposted transactions

Loans

PermissionScopeWhat It Controls
loans:readSELFView own loan details, installment schedule, and payment history
loans:readANYView all members’ loans, the full portfolio, and delinquency reports
loans:writeSELFSubmit a self-service loan application (if self-service is enabled by an administrator)
loans:writeANYCreate, disburse, and modify loans for any member; record payments; apply penalties

Expenses

PermissionScopeWhat It Controls
expenses:readANYView all organization expenses, categories, and history
expenses:writeANYRecord expenses, assign categories, attach receipts

Fixed Assets

PermissionScopeWhat It Controls
assets:readANYView the asset register, acquisition details, and estimated values
assets:writeANYAdd assets, update values, record disposals

Reserves

PermissionScopeWhat It Controls
reserves:readANYView reserve account balances and allocation history
reserves:writeANYCreate reserves, top up allocations, release funds

Dividends

PermissionScopeWhat It Controls
dividends:readSELFView own dividend amounts received and distribution history
dividends:readANYView all dividend pools, member allocations, and distribution history
dividends:writeANYCreate dividend pools, calculate distributions, mark distributions as paid

General Ledger & Accounting

PermissionScopeWhat It Controls
ledger:readSELFView own savings account statement (member self-service view)
ledger:readANYAccess the full chart of accounts, all account balances, trial balance, and journal entries
ledger:writeANYCreate manual journal entries and post adjusting entries

Reports

Reports do not have their own permission keys. Access is determined by the underlying data permissions:
ReportRequired Permission
Balance Sheetledger:read (ANY)
Profit & Lossledger:read (ANY)
Loans Outstandingloans:read (ANY)
Shares Reportsavings:read (ANY)
Member savings statement (own)savings:read (SELF)
Member savings statement (any member)savings:read (ANY)

Settings & Administration

PermissionScopeWhat It Controls
settings:readANYView organization name, currency, timezone, and configuration
settings:writeANYUpdate organization settings, notification preferences, and operational policies
audit_logs:readANYView the complete audit trail — filter by user, action type, or date range
periods:closeANYExecute period closes and period close undos

Built-In Role Configurations

Administrator

The Administrator role has full access to all resources. Assign it only to staff who need complete organizational control — typically the group president and lead technical manager.
PermissionScope
organization_users:readANY
organization_users:writeANY
organization_user_roles:writeANY
savings:readANY
savings:writeANY
loans:readANY
loans:writeANY
expenses:readANY
expenses:writeANY
assets:readANY
assets:writeANY
reserves:readANY
reserves:writeANY
dividends:readANY
dividends:writeANY
ledger:readANY
ledger:writeANY
settings:readANY
settings:writeANY
audit_logs:readANY
periods:closeANY
Can do: Everything in the system.

Treasurer

The Treasurer role covers day-to-day financial operations — recording contributions and expenses, viewing member balances, and generating reports. Treasurers cannot issue loans or change settings.
PermissionScope
organization_users:readANY
savings:readANY
savings:writeANY
expenses:readANY
expenses:writeANY
ledger:readANY
Can do: Record deposits and withdrawals, record expenses, view all member savings, run financial reports. Cannot do: Create or modify loans, assign roles to users, change organization settings, post manual journal entries, close periods.

Loan Officer

The Loan Officer role covers the full loan lifecycle — from eligibility assessment through disbursement, payment recording, and penalty application. Loan Officers can view savings balances to assess eligibility but cannot modify savings records.
PermissionScope
organization_users:readANY
savings:readANY
loans:readANY
loans:writeANY
Can do: Create and disburse loans, record loan payments, apply penalties, view member savings for eligibility assessment, view full loan portfolio. Cannot do: Record deposits or expenses, post manual journal entries, assign roles, change settings.

Accountant

The Accountant role is read-heavy — full visibility into all financial data for reporting and audit purposes — with the ability to post manual adjusting entries. Accountants do not perform operational transactions.
PermissionScope
organization_users:readANY
savings:readANY
loans:readANY
expenses:readANY
assets:readANY
reserves:readANY
dividends:readANY
ledger:readANY
ledger:writeANY
audit_logs:readANY
periods:closeANY
Can do: View all financial data, run every report, post manual journal entries for corrections, view the full audit trail, close periods. Cannot do: Record operational transactions (deposits, loans, expenses), assign roles, change organization settings.

Member

The Member role is the basic self-service configuration. Members can see their own financial information but have no visibility into other members’ data and cannot initiate any transactions.
PermissionScope
organization_users:readSELF
savings:readSELF
loans:readSELF
ledger:readSELF
dividends:readSELF
Can do: View own savings balance, own loan details and installment schedule, own account statement, own dividend history. Cannot do: View other members’ data, record any transactions, access settings, run organization-level reports.

Permission Inheritance Rules

Cumulative Permissions

If a user holds multiple roles, their effective permissions are the union of all permissions across every role they hold. Example: A user with both the Treasurer and Loan Officer roles effectively has: 
savings:read (ANY)   ← from Treasurer
savings:write (ANY)  ← from Treasurer
expenses:read (ANY)  ← from Treasurer
expenses:write (ANY) ← from Treasurer
loans:read (ANY)     ← from Loan Officer
loans:write (ANY)    ← from Loan Officer
This user can record deposits and disburse loans — combining both role sets.

ANY Scope Wins Over SELF

If a user holds the same permission at two different scopes, the broader scope always applies. Example:
  • Treasurer role grants savings:read (ANY)
  • Member role grants savings:read (SELF)
  • Effective permission: savings:read (ANY)
The user can view all members’ savings, not just their own.

No Negative Permissions

Agatabo does not support “deny” rules. You cannot grant a broad permission and then exclude a specific resource. To restrict access, simply do not include the permission in the role.

Where Permissions Are Enforced

Agatabo enforces permissions at two layers:
  1. API layer — the server validates permissions before executing any operation. A missing or insufficient permission returns a 403 Forbidden response.
  2. UI layer — buttons, menu items, and form fields are hidden or disabled when the user lacks the necessary permission.
Common error messages:
MessageMeaning
"You don't have permission to perform this action"The required permission is not present in any of your roles
"You can only access your own data"You have the permission but only at SELF scope, and you are trying to access another member’s data

Common Errors

Troubleshoot permission denied errors step by step

Glossary

Definitions for permission, role, scope, and related terms