Roles & Permissions - User Access Management
Overview
The Roles and Permissions framework controls what users can see and do within the system
- Each user must have at least one system role, which determines access to features, financial functionality, and settings
- Roles reflect typical positions in a law firm: Accountants, Lawyers, Partners, Paralegals, Finance staff
- Users can hold multiple roles if additional access is required
Example:
A user with the Accountant role has full banking access, while a Lawyer does not.
Quick Flow: How Roles & Permissions Work
The following boxed flow explains how access is determined for each user.
| Step | Action |
|---|---|
| 1 | Create/Add Employee |
| 2 | Assign System Role |
| 3 | (Optional) Add Special Role |
| 4 | System Applies Permission Band (Basic - Standard - Unrestricted) |
| 5 | User Access Determined |
| 6 | User Can Access Relevant System Features |
System Roles (Overview & Descriptions)
| Role | Purpose / Typical Users | Key Permissions | Restrictions / Notes |
|---|---|---|---|
| Global Administrator | Senior IT personnel or system admins | Full system access, configure features, manage roles & permissions | Limit to system administrators |
| Accountant | Finance Director / Head Accountant | Full financial & accounting access, manage user permissions | Only role able to modify other user permissions |
| Cashier | Senior finance staff | Process transactions, manage client/trust/office accounts, perform banking tasks | Some high-risk compliance functions restricted |
| Junior Cashier | Junior finance staff | Day-to-day transaction processing, standard financial operations | Restricted from compliance-sensitive or system configuration actions |
| Lawyer | Standard fee-earners | Work on matters, record time, request financial transactions | Cannot access firm-level financial data or banking |
| Paralegal | Entry-level legal staff | Assist with matter work, record time, request transactions | More limited than Lawyer role |
| Partner | Department heads / partners | View financial performance, monitor matter activity | Cannot directly post accounting transactions |
| Manager | Managing Partners / COFA | Financial oversight, management reports, firm-wide visibility | Direct posting of accounting transactions may be restricted |
| Team Lead | Department leaders / supervisors | View performance reports, monitor team activity | Focused on reporting; access limited to team users |
Each role defines who a user is, while permission bands define what they can do.
Special Roles
The system also includes additional roles that complement primary roles.
These roles provide extra privileges without replacing the user’s main role.
| Special Role | Purpose |
|---|---|
| Access All Matters | View all matters, including restricted ones |
| Approve All Invoices | Approve all invoices firm-wide |
| Approve All Requisitions | Approve all purchase and payment requisitions |
Special roles should be assigned carefully, as they provide firm-wide authority.
Permission Bands
Each role contains predefined permission levels, called bands, that determine the level of access to each feature area.
| Permission Band | Description |
|---|---|
| Basic | Limited access to view or request actions |
| Standard | Normal operational access |
| Unrestricted | Full control including configuration |
Permission Hierarchy
Permissions follow the hierarchy:
Basic → Standard → Unrestricted
Permissions excluded at a higher band are automatically excluded from lower bands.Key Behaviour:
- Exclusions, not inclusions, control permissions
- Example: Cannot post transactions at Standard → also cannot post at Basic
- Special roles can override exclusions, use cautiously
Permission Exclusions by Feature
| Feature Area | Exclusions by Band |
|---|---|
| Approvals | Basic/Standard: Cannot approve Office, CMA, Trust/Client transactions, or ledger transfers |
| Banking | Basic: Cannot create receipts/payments Standard: Cannot undo bank reconciliations, set up bank accounts, post bank entries |
| Billing | Basic: Cannot email/finalise invoices Standard: Cannot override invoice numbers, split/reject invoices, apply discounts |
| Client / Trust Accounts | Basic: Cannot post receipts/payments or transfer funds Standard: Cannot allow trust overdraw, reverse transactions, process CMA accounts |
| General Ledger | Basic/Standard: Cannot create or lock ledgers, post transactions, manage VAT returns |
| Office Account | Basic: Cannot post receipts/payments or transfer funds |
| Purchase Ledger | Basic: Cannot add/manage purchases, pay suppliers, reverse transactions Standard: Cannot pay suppliers or reverse transactions |
| Reports | Basic: Cannot access Profit & Loss, Trial Balance, VAT reports |
| Settings | Lower roles: Cannot access accounting settings, system configuration, notification settings |
| Time Entries | Basic: Cannot write off time entries |
Most access issues are due to exclusions, not system errors. Always check the user's role and permission band first.
Role Access to Features
| Function | Accountant | Cashier | Junior Cashier | Manager | Partner | Lawyer | Paralegal |
|---|---|---|---|---|---|---|---|
| Approvals | Unrestricted | Unrestricted | Standard | Standard | Standard | Standard | Basic |
| Banking | Unrestricted | Unrestricted | Standard | Basic | None | None | None |
| Billing | Unrestricted | Unrestricted | Unrestricted | Standard | Standard | Standard | Basic |
| Client / Trust | Unrestricted | Standard | Standard | Basic | Basic | Basic | Basic |
| Dashboards | Unrestricted | Unrestricted | Unrestricted | Unrestricted | Standard | Standard | Basic |
| Disbursements | Unrestricted | Unrestricted | Unrestricted | Standard | Standard | Standard | Basic |
| Entities | Unrestricted | Unrestricted | Unrestricted | Standard | Basic | Basic | Basic |
| General Ledger | Unrestricted | Unrestricted | Standard | Basic | Basic | None | None |
| Matters | Unrestricted | Standard | Standard | Standard | Standard | Standard | Basic |
| Office Account | Unrestricted | Unrestricted | Standard | Basic | Basic | Basic | Basic |
| Purchase Ledger | Unrestricted | Unrestricted | Unrestricted | Standard | Standard | None | None |
| Reports | Unrestricted | Unrestricted | Standard | Unrestricted | Standard | Basic | Basic |
| Settings | Unrestricted | Unrestricted | Unrestricted | Unrestricted | None | None | None |
| Time Entries | Unrestricted | Unrestricted | Standard | Unrestricted | Standard | Standard | Standard |
Role Assignment: Step-by-Step
Add Role to New Employee
- Navigate to Directory → Employees
- Open employee record → Update → Employee → Update Employee
- Select Actions → Invite Employee
- Choose the system role
- Click Invite Employee
Users cannot access the system until a role is assigned.
Remove Role from User
- Navigate to Settings → Firm Settings → Roles
- Select the role → Edit Users
- Find the user → Remove User
- Click Save
Move Users Between Roles
Method 1 – Employee Record
- Directory → Employees → employee card → Update → Employee → Update Employee
- Actions → View Permissions → select/deselect roles
- Click Save
Method 2 – Roles Section in Firm Settings
- Settings → Firm Settings → Roles
- Remove user from existing role → Add to new role
- Click Save
Common Role Assignment Mistakes
- Assigning Lawyer role to finance staff
- Giving Global Administrator unnecessarily
- Missing Access All Matters when required
- Users with conflicting roles
Recommendation: Assign the minimum permissions needed for the role.
Best Practices
- Assign roles based on job responsibilities
- Avoid giving Unrestricted permissions unnecessarily
- Use Special Roles only when required
- Review user access regularly
- Limit Global Administrator roles to system administrators
- Perform quarterly audits to ensure permissions remain appropriate