Permissions
What are permissions? Permissions in Atlar define what actions a user or API key is allowed to perform in your workspace. Use them to grant the right level of access to the right people or systems.
Below is a clarification of permission groups and their sub-permissions. Assign these to roles, and then assign roles to users or programmatic access.
Basic Access
'Basic access' grants the permissions needed to access and view the Dashboard. Every role should be assigned to this permission group. It allows users to view Memberships, Roles, their own Entities and Accounts, as well as Metadata Keys, Payment templates, Forecast configurations, and Affiliations.
| Sub-permission | Level | Definition |
|---|---|---|
| Accounts | READ | Accounts refers to your (bank-) Accounts & Wallets you have with your third-parties (e.g. banks or PSPs). The permission enables the role to view the organization’s own accounts. |
| Affiliations | READ | An affiliation denotes a relationship you have with a third-party. The permission enables the role to view the affiliations related to your organization. |
| Dashboards | READ | Dashboards are used to visualize data. They are customizable collections of graphs and tables in one single view. The permission enables the role to view all created dashboards within the organization. Note that this does not apply to the data within the dashboards, only their structure. The user will only be able to see the data that they have access to. |
| Entities | READ | Entities represent a business unit, used to group and manage related data like accounts or transactions. The permission enables the role to view the organization’s own entities. |
| Forecast configurations | READ | Forecast configurations are used to define the desired structure of a cash flow forecast. The permission enables the role to view the Forecast configurations. |
| Memberships | READ | Memberships define the association of users and organizations within the Atlar platform. It determines which roles the user has in one or multiple organizations, which in turn determines which resources can be accessed. The permission enables the role to view other users within the current organization, for example seeing other users' email addresses in the audit trail. |
| Metadata keys | READ | Metadata Keys are identifiers used to categorize, organize, and store additional information on any resource. For example, a Metadata Key can be the requirement to add a comment on each payment upon creation. The permission enables the role to view the keys themselves, for example "payment_comment", but does not give access to read the actual data, for example the text in the comment. |
| Payment templates | READ | Payment templates are designed to streamline and simplify the payment creation process by providing pre-filled blueprints for credit transfers. The permission enables the role to view created Payment templates. |
| Roles | READ | A role within the Atlar platform specifies the permissions and access levels assignable to users. The permission enables the role to view created roles. |
Read Financial Data
'Read financial data' grants a role the permissions needed to view financial and payment-related information, including Account Balances, Transactions, Counterparties, External Accounts, payments (Credit Transfers and Direct Debits), Direct Debit Mandates, and Approval chains. This permission group also allows users to view Account Sweeping Rules, Categorization Rules, Payment templates, and General Ledger Accounts and Entities. Additionally, users can create and export Reports and Views based on this data.
| Sub-permission | Level | Definition |
|---|---|---|
| Account balances | READ | An account balance is the balance of your account, either available or booked. The permission enables the role to view the organization's own account balances. |
| Account sweeping rules | READ | Automated processes that transfer funds from one account to another, typically from subsidiary accounts to a primary account, to optimize cash management and maintain target balances. |
| Accounts payables | READ | Accounts Payables (AP) represent money owed to counterparties. Typically Atlar reads this data from a connected ERP system. The permission enables the role to read all current and past APs. |
| Accounts receivables | READ | Accounts Receivables (AR) represent money owed by counterparties. Typically Atlar reads this data from a connected ERP system. The permission enables the role to read all current and past ARs. |
| Approval chains | READ | Define who must approve a payment before it is sent to the bank. The permission enables the role to view currently created approval chains, but not modify them. |
| Categorization rules | READ | Predefined criteria or conditions used to automatically sort, classify, or group transactions into specific categories. |
| Connection instruction events | READ | Events are actions or occurrences, such as user interactions or system changes, that trigger specific responses. Enables the user to see connection instruction events in the Audit trail. |
| Connection instructions | READ | Instructions Atlar pushes to the bank, for example payment instructions to perform client-initiated payments. |
| Connection reports | READ | Reports retrieved from the bank, usually raw files in XML format. |
| Counterparties | READ | A counterparty refers to a legal entity that you want to pay to or pull funds from. |
| Counterparty events | READ | Enables the role to view counterparty events in the Audit trail. |
| Credit transfers | READ | Instructions to push funds from one source account to another. |
| Dashboards | READ | Customizable collections of graphs and tables in one single view. Enables viewing of created dashboards, but not necessarily the underlying data (only the structure). |
| Direct debit events | READ | Enables the role to see direct debit events in the Audit trail. |
| Direct debits | READ | Instructions to pull funds from a source account to a destination account. |
| Expected transactions | READ | Anticipated incoming and outgoing cash flows, such as scheduled payments or planned expenses, that help predict the future financial position of an organization. |
| External accounts | READ | Accounts or wallets of the counterparty. When making a credit transfer to a vendor or customer, this is the destination account. |
| Forecast configurations | READ | Used to define the desired structure of a cash flow forecast. |
| Forecasted transactions | READ | Projected cash inflows and outflows based on historical trends and assumptions. Can be manually uploaded or sourced from other systems (e.g. ERP). |
| GL accounts | READ | General Ledger accounts ingested from your ERP system, used to pair against Atlar accounts. |
| GL entities | READ | General Ledger entities ingested from your ERP system, used to pair against Atlar entities. |
| Holdings | READ | A holding represents a specific financial instrument, such as a money market fund or fixed-term fund, within an investment portfolio. |
| Mandate events | READ | Enables the role to see mandate events in the Audit trail. |
| Mandates | READ | Holds authorization information allowing you to pull funds using direct debits. |
| Credit transfer events | READ | Enables the role to see credit transfer events in the Audit trail. |
| Payment templates | READ | Pre-filled blueprints for credit transfers. |
| Pending transactions | READ | Transactions received via intraday statements that remain in a "pending" state until reconciled via the end-of-day statement. |
| Portfolios | READ | A collection of financial instruments (holdings) managed together. Extra permissions are needed to view the underlying holdings and positions. |
| Reports | READ CREATE | Exported files created and saved based on any data in the Atlar platform (e.g. CSV transactions, PDF dashboards). Allows viewing and creating reports. |
| Transactions | READ | Fully processed transactions that are final and reflected in the account balance. |
| Views | READ CREATE | Predefined queries used to extract real-time statistics and export files. Enables viewing all saved queries and creating new ones (data visibility depends on other access). |
Initiate payments
'Initiate payments' grants a role the permissions needed to initiate Credit Transfers and Direct Debits and perform related actions, such as viewing and managing Direct Debit Mandates, Counterparties, and their corresponding External Accounts. It also allows users to manage Payment templates and Account Sweeping Rules.
| Sub-permission | Level | Definition |
|---|---|---|
| Account sweeping rules | READ CREATE UPDATE DELETE | Automated processes that transfer funds from one account to another, typically from subsidiary accounts to a primary account, to optimize cash management and maintain target balances. Enables the role to manage account sweeping rules (view/read, create, update, delete). |
| Counterparties | READ CREATE UPDATE DELETE | A counterparty refers to a legal entity that you want to pay to or pull funds from. Enables the role to manage counterparties (read, create, update, delete). |
| Credit transfers | CREATE | A credit transfer is an instruction to push funds from one source account to another. Enables the role to create credit transfers, but not approve them. |
| Direct debits | CREATE | A direct debit is an instruction to pull funds from a source account to a destination account. A valid mandate must exist before creation. Enables the role to create direct debits, but not approve them. |
| External accounts | READ CREATE UPDATE DELETE | External accounts are the accounts or wallets of the counterparty. When making a credit transfer to a vendor or customer, this is the defined destination account. Enables the role to manage external accounts (read, create, update, delete). |
| Mandates | READ CREATE UPDATE | A mandate is a resource in the Atlar platform holding information about the authorization granted by a legal entity (company or person) allowing you to pull funds using direct debits. Enables the role to manage existing mandates (read, create, update, but not delete). |
| Payment templates | READ CREATE UPDATE DELETE | Payment templates streamline and simplify the payment creation process by providing pre-filled blueprints for credit transfers. Enables the role to manage payment templates (read, create, update, delete). |
| Reconciliation | CREATE | Reconciliation is the process of pairing transactions on the bank statement with credit transfers or direct debits. Transactions can also be paired with expected transactions if they exist. Enables the role to manually pair and unpair transactions with their matched counterparts. |
Approve and reject payments
'Approve and reject payments' grants a role the permissions needed to approve and reject both Credit Transfers and Direct Debits. Note that having this permission alone may not be sufficient to approve payments; it depends on the specific approval chain setup.
| Sub-permission | Level | Definition |
|---|---|---|
| Credit transfers | UPDATE | A credit transfer is an instruction to push funds from one source account to another account. Enables the role to update credit transfers (for example, to approve or modify them as part of the approval process). |
| Direct debit approvals | UPDATE DELETE | Direct debit approvals relate to direct debits and grant permission to approve direct debit payments. Enables the role to approve created direct debits and delete those not yet approved. |
| Direct debits | UPDATE | A direct debit is an instruction to pull funds from a source account to a destination account. A valid mandate must exist before creation. Enables the role to update direct debits. |
| Credit transfer approvals | UPDATE DELETE | Credit transfer approvals relate to credit transfers and grant permission to approve credit transfer payments. Enables the role to approve created credit transfers and delete those not yet approved. |
Sensitive admin operations
'Sensitive admin operations' allows the role to view and manage Approval chains, Entities, Roles, and Memberships. Additionally, users can invite other users to the platform, manage Webhooks and Webhook keys, handle Affiliations with third parties, manage Connections and Connection secrets required for Atlar’s integration with third-party systems, and provision Accounts. This is a sensitive permission group and should only be assigned to platform administrators.
| Sub-permission | Level | Definition |
|---|---|---|
| Accounts | CREATE | Refers to your (bank) accounts and wallets with third parties (e.g. banks or PSPs). Enables the role to provision or ignore new accounts in the dashboard, either created manually or received via a third-party connection. |
| Affiliations | READ CREATE UPDATE DELETE | An affiliation denotes a relationship with a third party. Enables the role to manage the affiliations related to your organization (read, create, update, delete). |
| Approval chains | READ CREATE UPDATE DELETE | Approval chains configure the Atlar platform to require, or not, certain users (via their roles) to approve payments before Atlar sends instructions to the bank. Enables the role to manage approval chains (read, create, update, delete). |
| Connection secrets | READ CREATE UPDATE DELETE | Connection secrets belong to a connection and contain parameters or secrets required for Atlar to connect to a third party to fetch data or push instructions like payments. Enables the role to manage connection secrets. |
| Third-party connections | READ CREATE UPDATE DELETE | A third-party connection is a technical connection set up to a third party. A connection references an affiliation. Enables the user to manage connections (read, create, update, delete). |
| Entities | READ CREATE UPDATE DELETE | Entities represent a business unit used to group and manage related data like accounts or transactions. Enables the role to manage the organization’s own entities (read, create, update, delete). |
| Invitations | READ CREATE UPDATE DELETE | Invitations allow users to invite new members to the platform and organization. |
| Memberships | READ CREATE UPDATE DELETE | Memberships define the association of users and organizations within the Atlar platform. Determines user access rights, responsibilities, and the scope of interaction with organizational resources through their role. Enables the role to manage memberships. |
| Organizations | UPDATE | An organization is a dedicated environment within the Atlar platform where third-party connections are linked. Enables the role to update organization settings such as enabling four-eyes approvals, updating theming, and approving/rejecting change requests. |
| Resource events (Audit trail) | READ | Resource events record user and system actions, which can be viewed in the audit trail. |
| Roles | READ CREATE UPDATE DELETE | A role specifies the permissions and access levels assignable to users. Enables the role to manage roles (read, create, update, delete). |
| Webhook keys | CREATE DELETE | Webhook keys belong to webhooks and are unique credentials used to authenticate and secure communication between a webhook sender and receiver. Enables the user to create and delete webhook keys. |
| Webhooks | READ CREATE UPDATE DELETE | Webhooks are automated notifications sent to a specified URL when specific events or changes occur, allowing real-time data sharing and integration between systems. Enables the role to manage webhooks (read, create, update, delete). |
Set up programmatic access
'Set up programmatic access' allows the role to set up new programmatic access users based on existing roles, without managing current users. It also enables the management of Webhooks and the rotation of Webhook secret keys, allowing your systems to receive real-time HTTP POST payloads and respond to specific events.
| Sub-permission | Level | Definition |
|---|---|---|
| Memberships | READ CREATE | Memberships define the association of users and organizations within the Atlar platform. They determine which roles the user has in one or multiple organizations, which in turn determines which resources can be accessed. Enables the role to read memberships within the organization as well as create new memberships. This is a sensitive permission since it allows granting additional access to new users. |
| Roles | READ | A role within the Atlar platform specifies the permissions and access levels assignable to users. Enables the role to view created roles. |
| Webhook keys | CREATE DELETE | Webhook keys belong to webhooks and are unique credentials used to authenticate and secure communication between a webhook sender and receiver, ensuring that data is only sent and received by trusted parties. Enables the user to create and delete webhook keys. |
| Webhooks | READ CREATE UPDATE DELETE | Webhooks are automated notifications sent to a specified URL when specific events or changes occur, allowing real-time data sharing and integration between systems. Enables the role to manage webhooks (read, create, update, delete). |
Manage dashboard
'Manage dashboard' allows the role to configure the Atlar dashboard, including the creation of custom Views and Dashboards. It also grants the permissions needed to manage Categorization rules, Payment templates, and Metadata keys. Additionally, it enables the role to configure and manage Forecast configurations, Forecasted and Expected transactions, and General Ledger (GL) Accounts and Entities.
| Sub-permission | Level | Definition |
|---|---|---|
| Accounts | UPDATE | Refers to your (bank) Accounts & Wallets you have with your third-parties (e.g. banks or PSPs). Enables the role to update the organization’s own accounts, for example updating the alias (name) of the accounts. |
| Categorization rules | READ CREATE UPDATE DELETE | Categorization rules are predefined criteria or conditions used to automatically sort, classify, or group payments into specific categories based on predefined conditions. Enables the role to manage categorization rules (read, create, update, delete). |
| Dashboards | CREATE UPDATE DELETE | Dashboards are used to visualize data. They are customizable collections of graphs and tables in a single view. Enables the role to manage dashboards (create, update, delete). Note that the role will only be able to create dashboards with the data they have access to. |
| Expected transactions | READ CREATE UPDATE DELETE | Expected transactions refer to anticipated incoming and outgoing cash flows, such as scheduled payments, receivables, or planned expenses, that help predict the future financial position of an organization. Enables the role to manage expected transactions (read, create, update, delete). |
| Forecast configurations | READ CREATE UPDATE DELETE | Forecast configurations are used to define the desired structure of a cash flow forecast. Enables the role to manage forecast configurations (read, create, update, delete). |
| Forecasted transactions | READ CREATE UPDATE DELETE | Forecasted transactions relate to the Cash Flow Forecasting feature and are projected cash inflows and outflows based on historical trends, patterns, and assumptions, providing an estimate of future financial activities and their impact on cash flow. Enables the role to manage forecasted transactions (read, create, update, delete). |
| GL accounts | READ UPDATE | GL (General Ledger) Accounts are ingested from your chosen ERP system and paired against your Atlar accounts. Needed when using payment capabilities via the ERP system. Enables the role to view and update GL accounts in Atlar. |
| GL entities | READ UPDATE | GL (General Ledger) Entities are ingested from your chosen ERP system and paired against your Atlar entities. Needed when using forecasting capabilities against an ERP system. Enables the role to view and update GL entities in Atlar. |
| Metadata keys | CREATE UPDATE DELETE | Metadata Keys are identifiers used to categorize, organize, and store additional information about payments. Enables the role to manage the keys themselves (create, update, delete). Note that the role will also need READ permission to view created metadata keys. |
| Notification rules | READ CREATE UPDATE DELETE | Notification rules allow you to set up notifications from various sources in the Atlar dashboard, and customize how, when, and where they should be sent. Enables the role to fully manage how, when, and where notifications from Atlar should be sent. |
| Notifications | READ CREATE UPDATE DELETE | Notifications represent the notifications that the Atlar system has previously sent out. Enables the role to fully manage notifications. |
| Payment templates | CREATE UPDATE DELETE | Payment templates are designed to streamline and simplify the payment creation process by providing pre-filled blueprints for credit transfers. Enables the role to manage payment templates (create, update, delete). Note that the role will also need READ permission to view created templates. |
| Report schedules | READ CREATE UPDATE DELETE | A report can be seen as a snapshot of a table or dashboard. Report schedules can be used to set up a schedule for when to take these snapshots and store them. Enables the role to fully manage how reports should be scheduled. |
| Reports | READ CREATE UPDATE DELETE | Reports are exported files that can be created and saved based on any data in the Atlar platform. Multiple formats are supported, such as CSV or PDF. Enables the role to view and fully manage reports in the dashboard. |
| Themes | READ CREATE UPDATE DELETE | Theming is the option to customize the colors displayed on your dashboard to align with your company’s branding, ensuring a consistent and personalized visual experience. Enables the user to manage the settings for the entire organization (read, create, update, delete). |
| Views | READ CREATE UPDATE DELETE | Views are used to visualize data. They are predefined queries that can be used to extract real-time statistics and exported files. Enables the role to manage views within the organization (read, create, update, delete). Note that the role will only be able to create views with the data they have access to. |
ERP access
'ERP Access' grants the permissions needed for an ERP system to interact with the Atlar platform. It allows the ERP system to read financial data and create payments.
| Sub-permission | Level | Definition |
|---|---|---|
| ERP access | READ CREATE | Grants an ERP system the ability to read financial data (such as balances, transactions, and counterparties) and create payments within the Atlar platform. |
Updated 5 days ago