Overview This matrix shows all permissions in Agatabo, what actions they control, and which roles typically have them.
Format : resource:actionExample : savings:write = permission to write (create/modify) savings recordsScopes :
SELF : Access only own dataANY : Access all organization data
Complete Permissions List Organization Users Permission Scope Description Actions Allowed organization_users:readSELF View own profile See own name, email, phone, join date, roles organization_users:readANY View all members See member list, profiles, contact info, join dates organization_users:writeANY Manage members Invite, edit, deactivate members; update contact info organization_user_roles:writeANY Assign roles Grant/revoke roles and permissions to users
Savings & Deposits Permission Scope Description Actions Allowed savings:readSELF View own savings See own deposit history, current balance savings:readANY View all savings See all members’ deposits, balances, transaction history savings:writeANY Record deposits/withdrawals Create deposits, process withdrawals, edit unposted transactions
Loans Permission Scope Description Actions Allowed loans:readSELF View own loans See own loan details, installment schedules, payment history loans:readANY View all loans See all members’ loans, portfolio reports, delinquency status loans:writeSELF Apply for loans Submit loan applications for self (if self-service enabled) loans:writeANY Manage all loans Create, approve, modify, disburse loans for any member loans:writeANY Record loan payments Post payments against loans, allocate to principal/interest loans:writeANY Apply penalties Add late fees and penalties to delinquent loans
Expenses Permission Scope Description Actions Allowed expenses:readSELF View own expenses See expense claims submitted by self (if applicable) expenses:readANY View all expenses See all organization expenses, categories, history expenses:writeANY Record expenses Create expense records, categorize, attach receipts
Fixed Assets Permission Scope Description Actions Allowed assets:readSELF View own assets See assets associated with self (rare use case) assets:readANY View all assets See asset register, acquisition details, values assets:writeANY Manage assets Add assets, update values, record disposals
Reserves Permission Scope Description Actions Allowed reserves:readSELF View own reserve data Limited use (reserves are organization-level) reserves:readANY View reserves See reserve balances, allocation history reserves:writeANY Manage reserves Create reserves, allocate (top-up), release funds
Dividends Permission Scope Description Actions Allowed dividends:readSELF View own dividends See dividend amounts received, distribution history dividends:readANY View all dividends See dividend pools, member allocations, distribution history dividends:writeANY Manage dividends Create dividend pools, calculate distributions, mark as distributed
General Ledger & Accounting Permission Scope Description Actions Allowed ledger:readSELF View own ledger account See own savings account statement (member view) ledger:readANY View all ledger accounts Access chart of accounts, account balances, statements, trial balance ledger:writeANY Post journal entries Create manual journal entries, post adjustments, corrections
Reports Note : Reports generally don’t have specific permissions. Access depends on underlying data permissions.Examples :
Balance Sheet: Requires ledger:read (ANY)
Loans Outstanding: Requires loans:read (ANY)
Member savings statement: Requires savings:read (SELF or ANY)
Settings & Administration Permission Scope Description Actions Allowed settings:readANY View organization settings See org name, currency, timezone, settings settings:writeANY Edit organization settings Update org name, notification preferences, configurations settings:writeANY Update rates & configs Modify interest rates, contribution schedules, policies audit_logs:readANY View audit trail Access complete activity log, filter by actor/action
Common Role Mappings Note on Roles : The role mappings below are suggested configurations, not pre-defined system roles. Agatabo provides admin and member as protected default roles. Organizations create additional custom roles and assign permissions as needed to match their operational structure.
Administrator (Full Access) Permission Scope organization_users:readANY organization_users:writeANY organization_user_roles:writeANY savings:readANY savings:writeANY loans:readANY loans:writeANY loans:writeANY loans:writeANY expenses:readANY expenses:writeANY assets:readANY assets:writeANY reserves:readANY reserves:writeANY dividends:readANY dividends:writeANY ledger:readANY ledger:writeANY settings:readANY settings:writeANY settings:writeANY audit_logs:readANY
Can do : EverythingTreasurer Permission Scope organization_users:readANY savings:readANY savings:writeANY expenses:readANY expenses:writeANY ledger:readANY
Can do : Record deposits, record expenses, view financial reportsCannot do : Create loans, assign roles, change settingsLoan Officer Permission Scope organization_users:readANY savings:readANY (to check eligibility) loans:readANY loans:writeANY loans:writeANY loans:writeANY
Can do : Create/manage loans, record payments, apply penaltiesCannot do : Record deposits/expenses, post journal entries, assign rolesAccountant Permission Scope organization_users:readANY savings:readANY loans:readANY expenses:readANY assets:readANY reserves:readANY dividends:readANY ledger:readANY ledger:writeANY (for adjustments) audit_logs:readANY
Can do : View all financial data, run reports, post adjusting entries, view audit trailCannot do : Record operational transactions (deposits, loans), assign roles, change settingsMember (Basic) Permission Scope organization_users:readSELF savings:readSELF loans:readSELF ledger:readSELF dividends:readSELF
Can do : View own savings, loans, account statement, dividendsCannot do : View other members’ data, record transactions, access settingsPermission Inheritance Multiple roles :
If user has multiple roles, permissions are cumulative (union)
Example: User with both Treasurer + Loan Officer can record deposits AND create loans
Scope precedence :
If same permission granted with different scopes, ANY scope wins
Example: User has savings:read SELF from Member role + savings:read ANY from Treasurer role = user gets ANY scope
Special Cases Self-Service Loan Applications
Member with loans:write (SELF scope) can submit loan applications
Requires administrator to configure self-service feature
Applications still need approval from loan committee
Restricted Journal Entries
ledger:write permission allows creating manual journal entriesSome entry types may be restricted (e.g., closing entries) even with permission
System prevents creating entries in closed periods regardless of permission
Organization-Level Settings
settings:write is powerful - grants ability to change currency, timezone, etc.Should only be given to trusted administrators
Changes affect entire organization and all users
Permission Checks in Agatabo Where permissions are checked :
UI : Buttons/menus hidden if insufficient permissionAPI : Server validates permission before executing actionReports : Filtered based on scope (SELF vs ANY)
Error messages :
“You don’t have permission to perform this action” = Missing permission entirely
“You can only access your own data” = Have permission but with SELF scope, trying to access others’ data
Need Help?
Understanding Permissions Detailed permission guide
Member Roles Managing roles
