Roles & Permissions - User Access Management
Overview
The Roles and Permissions framework controls what users can see and do within the system
- Each user must have at least one system role, which determines access to features, financial functionality, and settings
- Roles reflect typical positions in a law firm: Accountants, Lawyers, Partners, Paralegals, Finance staff
- Users can hold multiple roles if additional access is required
Example:
A user with the Accountant role has full banking access, while a Lawyer does not.
Quick Flow: How Roles & Permissions Work
The following boxed flow explains how access is determined for each user.
| Step | Action |
|---|---|
| 1 | Create/Add Employee |
| 2 | Assign System Role |
| 3 | (Optional) Add Special Role |
| 4 | System Applies Permission Band (Basic - Standard - Unrestricted) |
| 5 | User Access Determined |
| 6 | User Can Access Relevant System Features |
System Roles (Overview & Descriptions)
| Role | Purpose / Typical Users | Key Permissions | Restrictions / Notes |
|---|---|---|---|
| Global Administrator | Senior IT personnel or system admins | Full system access, configure features, manage roles & permissions | Limit to system administrators |
| Accountant | Finance Director / Head Accountant | Full financial & accounting access, manage user permissions | Only role able to modify other user permissions |
| Cashier | Senior finance staff | Process transactions, manage client/trust/office accounts, perform banking tasks | Some high-risk compliance functions restricted |
| Junior Cashier | Junior finance staff | Day-to-day transaction processing, standard financial operations | Restricted from compliance-sensitive or system configuration actions |
| Lawyer | Standard fee-earners | Work on matters, record time, request financial transactions | Cannot access firm-level financial data or banking |
| Paralegal | Entry-level legal staff | Assist with matter work, record time, request transactions | More limited than Lawyer role |
| Partner | Department heads / partners | View financial performance, monitor matter activity | Cannot directly post accounting transactions |
| Manager | Managing Partners / COFA | Financial oversight, management reports, firm-wide visibility | Direct posting of accounting transactions may be restricted |
| Team Lead | Department leaders / supervisors | View performance reports, monitor team activity | Focused on reporting; access limited to team users |
Each role defines who a user is, while permission bands define what they can do.
Special Roles
The system also includes additional roles that complement primary roles.
These roles provide extra privileges without replacing the user’s main role.
| Special Role | Purpose |
|---|---|
| Access All Matters | View all matters, including restricted ones |
| Approve All Invoices | Approve all invoices firm-wide |
| Approve All Requisitions | Approve all purchase and payment requisitions |
Special roles should be assigned carefully, as they provide firm-wide authority.
Permission Bands
Each role contains predefined permission levels, called bands, that determine the level of access to each feature area.
| Permission Band | Description |
|---|---|
| Basic | Limited access to view or request actions |
| Standard | Normal operational access |
| Unrestricted | Full control including configuration |
Permission Hierarchy
Permissions follow the hierarchy:
Basic → Standard → Unrestricted
Permissions excluded at a higher band are automatically excluded from lower bands.Key Behaviour:
- Exclusions, not inclusions, control permissions
- Example: Cannot post transactions at Standard → also cannot post at Basic
- Special roles can override exclusions, use cautiously
Permission Access by Band
| Function | Accountant | Cashier | Junior Cashier | Manager | Partner | Lawyer | Paralegal |
|---|---|---|---|---|---|---|---|
| Approvals | Unrestricted | Unrestricted | Standard | Standard | Standard | Standard | Basic |
| Banking | Unrestricted | Unrestricted | Standard | Basic | None | None | None |
| Billing | Unrestricted | Unrestricted | Unrestricted | Standard | Standard | Standard | Basic |
| Client / Trust | Unrestricted | Standard | Standard | Basic | Basic | Basic | Basic |
| Dashboards | Unrestricted | Unrestricted | Unrestricted | Unrestricted | Standard | Standard | Basic |
| Disbursements | Unrestricted | Unrestricted | Unrestricted | Standard | Standard | Standard | Basic |
| Entities | Unrestricted | Unrestricted | Unrestricted | Standard | Basic | Basic | Basic |
| General Ledger | Unrestricted | Unrestricted | Standard | Basic | Basic | None | None |
| Matters | Unrestricted | Standard | Standard | Standard | Standard | Standard | Basic |
| Office Account | Unrestricted | Unrestricted | Standard | Basic | Basic | Basic | Basic |
| Purchase Ledger | Unrestricted | Unrestricted | Unrestricted | Standard | Standard | None | None |
| Reports | Unrestricted | Unrestricted | Standard | Unrestricted | Standard | Basic | Basic |
| Settings | Unrestricted | Unrestricted | Unrestricted | Unrestricted | None | None | None |
| Time Entries | Unrestricted | Unrestricted | Standard | Unrestricted | Standard | Standard | Standard |
Permission Exclusions by Feature
This section provides a summary of permission exclusions. For a full breakdown by feature and permission band, see Appendix: Detailed Permission Exclusions
This appendix provides a detailed breakdown of permission exclusions across all system features and permission bands. It explains, at a granular level, which actions are restricted for each access level (Basic, Standard, and Unrestricted) within key areas of the system such as Banking, Billing, Client/Trust Accounts, Matters, Reporting, and Settings.
It is intended as a technical reference to support troubleshooting, access validation, and advanced configuration checks. Most users will not need to refer to this document as part of their day-to-day work.
Most access issues are due to exclusions, not system errors. Always check the user's role and permission band first.
Role Assignment: Step-by-Step
Add Role to New Employee
- Navigate to Directory → Employees
- Open employee record → Update → Employee → Update Employee
- Select Actions → View Permissions
- Choose the system role(s)
- Click Save (which will take you back to the Employee Details screen)
- Select Save & Close
Users cannot access the system until a role is assigned.
Remove Role from User
- Navigate to Settings → Firm Settings → Roles
- Hover over the role → Edit Users (group of people icon to the right of the Users column)
- Hover over the user → Remove User (select trash bin icon on last column)
- Click Save
Move Users Between Roles
Method 1 – Employee Record
- Directory → Employees → Employee card → Update → Employee → Update Employee
- Actions → View Permissions → select/deselect roles
- Click Save (which will take you back to the Employee Details screen)
- Select Save & Close
Method 2 – Roles Section in Firm Settings
- Settings → Firm Settings → Roles
- Remove user from existing role (following steps from "Remove Role from User" above) → Add to new role (hover over new role → Edit Users → Add User)
- Click Save
Common Role Assignment Mistakes
- Assigning Lawyer role to finance staff
- Giving Global Administrator unnecessarily
- Missing Access All Matters when required
- Users with conflicting roles
Recommendation: Assign the minimum permissions needed for the role.
Best Practices
- Assign roles based on job responsibilities
- Avoid giving Unrestricted permissions unnecessarily
- Use Special Roles only when required
- Review user access regularly
- Limit Global Administrator roles to system administrators
- Perform quarterly audits to ensure permissions remain appropriate