Permissions
Permissions in Atlar define what actions a user or API key is allowed to perform within your workspace. They help ensure the right level of access is granted to the right people or systems. Below is further clarification of the permissions and sub-permissions that can be given to a role.
Basic Access
'Basic access' grants the permissions needed to access and view the Dashboard. Every role should be assigned to this permission group. It allows users to view Memberships, Roles, their own Entities and Accounts, as well as Metadata Keys, Payment templates, Forecast configurations, and Affiliations.
| Sub-permission | Level | Definition |
|---|---|---|
| Accounts | READ | Accounts refers to your (bank-) Accounts & Wallets you have with your third-parties (e.g. banks or PSPs). The permission enables the role to view the organizations own accounts. |
| Affiliations | READ | An affiliation denotes a relationship you have with a third-party. The permission enables the role to view the affiliations related to your organization. |
| Dashboards | READ | Dashboards are used to visualize data. They are customizable collections of graphs and tables in one single view. The permission enables the role to view all created dashboards within the organization. Note that this does not apply to the data within the dashboards, only their structure. The user will only be able to see the data that they have access to. |
| Entities | READ | Entities represent a business unit, used to group and manage related data like accounts or transactions. The permission enables the role to view the organizations own entities. |
| Forecast configurations | READ | Forecast configurations are used to define the desired structure of a cash flow forecast. The permission enables the role to view the Forecast configurations. |
| Memberships | READ | Memberships define the association of users and organizations within the Atlar platform. It determines which roles the user has in one or multiple organizations, which in turn determines which resources can be accessed. The permission enables the role to view other users within the current organization, for example seeing other users' email addresses in the audit trail. |
| Metadata keys | READ | Metadata Keys are identifiers used to categorize, organize, and store additional information on any resource. For example, a Metadata Key can be the requirement to add a comment on each payment upon creation. The permisson enables the role to view the keys themselves, for example "payment_comment", but does not give access to read the actual data, for example the text in the comment |
| Payment templates | READ | Payment templates are designed to streamline and simplify the payment creation process by providing pre-filled blueprints for credit transfers. The permission enables the role to view created Payment templates. |
| Roles | READ | A role within the Atlar platform specifies the permissions and access levels assignable to users. The permission enables the role to view created roles. |
Read Financial Data
'Read financial data' grants a role the permissions needed to view financial and payment-related information, including Account Balances, Transactions, Counterparties, External Accounts, payments (Credit Transfers and Direct Debits), Direct Debit Mandates and Approval chains. This permission group also allows users to view Account Sweeping Rules, Categorization Rules, Payment templates, and General Ledger Accounts and Entities. Additionally, users can create and export Reports and Views based on this data.
| Sub-permission | Level | Definition |
|---|---|---|
| Account balances | READ | An account balance is the balance of your account, either available or booked. The permission enables the role to view the organization's own Account balances. |
| Account sweeping rules | READ | Account sweeping rules are automated processes that transfer funds from one account to another, typically from subsidiary accounts to a primary account, to optimize cash management and maintain target balances. The permission enables the role to view created Account sweeping rules. |
| Accounts payables | READ | Accounts Payables (AP) represent money owed to counterparties. Typically Atlar reads this data from a connected ERP system. The permission enables the role to read all current and past APs. |
| Accounts receivables | READ | Accounts Receivables (AR) represent money owed by counterparties. Typically Atlar reads this data from a connected ERP system. The permission enables the role to read all current and past ARs. |
| Approval chains | READ | Approval chains define who must approve a payment before it is sent to the bank. They are configured based on user roles and can be customized to apply to specific payment types, amounts, currencies, creators, and more. The permission enables the role to view currently created Approval chains, but does not give them access to modify them. |
| Categorization rules | READ | Categorization rules are predefined criteria or conditions used to automatically sort, classify, or group transactions into specific categories based on predefined conditions. The permission enables the role to view created Categorization rules. |
| Connection instruction events | READ | Events are actions or occurrences, such as user interactions or system changes, that trigger specific responses within an application. The permission enables the user to see connection instruction events in the Audit trail. |
| Connection instructions | READ | Connection instructions belong to a connection and are instructions Atlar pushes to the bank, for example, when Atlar pushes payment instructions to the bank to perform client initiated payments. The permission enables the role to view Connection instructions. |
| Connection reports | READ | Connection_reports belong to a connection and are reports Atlar retrieve from the bank, usually the raw file in XML format. The permission enables the role to view Connection reports. |
| Counterparties | READ | A Counterparty refers to a legal entity that you want to pay to, or pull funds, from. The permission enables the role to view created Counterparties. |
| Counterparty events | READ | Events are actions or occurrences, such as user interactions or system changes, that trigger specific responses within an application. The permission enables the role to view counterparty events in the Audit trail. |
| Credit transfers | READ | A Credit Transfer is an instruction to push funds from one initiating, source, account to another account. The permission enables the role to view created Credit Transfers. |
| Dashboards | READ | Dashboards are used to visualize data. They are customizable collections of graphs and tables in one single view. The permission enables the role to view all created dashboards within the organization. Note that this does not apply to the data within the dashboard, only their structure. The user will only be able to see the data that they have access to. |
| Direct debit events | READ | Events are actions or occurrences, such as user interactions or system changes, that trigger specific responses within an application. The permission enables the role to see direct debit events in the Audit trail. |
| Direct debits | READ | A Direct Debit is an instruction to pull fund from a source account to the initiating, destination, account. The permission enables the role to view created Direct Debits. |
| Expected transactions | READ | Expected transactions refer to anticipated incoming and outgoing cash flows, such as scheduled payments, receivables, or planned expenses, that help predict the future financial position of an organization. The permission enables the role to view Expected transactions. |
| External accounts | READ | External Accounts are the Accounts or Wallets of the Counterparty. When making a credit transfer to a vendor or customer, it is the External Account that is defined as the destination. The permission enables the role to view External Accounts. |
| Forecast configurations | READ | Forecast configurations are used to define the desired structure of a cash flow forecast. The permission enables the role to view the Forecast configurations. |
| Forecasted transactions | READ | Forecasted transactions relates to the Cash Flow Forecasting feature and are projected cash inflows and outflows based on historical trends, patterns, and assumptions, providing an estimate of future financial activities and their impact on cash flow. The Forecasted transactions are either manually uploaded or can be automatically sourced from other systems (e.g. ERP). The permission enables the role to view Forecasted transactions. |
| GL accounts | READ | GL (General Ledger) Accounts are ingested from your chosen ERP system. GL accounts are ingested into Atlar in order for you to pair them against your Atlar accounts. This is for example needed when using our payment capabilities via the ERP system. It's also used in our forecasting product. The permission enables the role to view GL accounts in Atlar. |
| GL entities | READ | GL (General Ledger) Entities are ingested from your chosen ERP system. GL entities are ingested into Atlar in order for you to pair them against your Atlar entities. This is needed when using our forecasting capabilities against an ERP system. It's also used in our forecasting product. The permission enables the role to view GL entities in Atlar. |
| Holdings | READ | A holding represents a specific financial instrument, such as a money market fund or fixed-term fund, within an investment portfolio. Each holding can contain multiple positions over time that represent its value. The permission enables the role to view all holdings. |
| Mandate events | READ | Events are actions or occurrences, such as user interactions or system changes, that trigger specific responses within an application. The permission enables the role to see mandate events in the Audit trail. |
| Mandates | READ | A Mandate is a resource in the Atlar platform holding information about the authorization granted by the legal entity (company or person) allowing you to pull funds using Direct Debits. The permission enables the role to view existing Mandates. |
| Credit transfer events | READ | Events are actions or occurrences, such as user interactions or system changes, that trigger specific responses within an application. The permission enables the role to see credit transfer events in the Audit trail. |
| Payment templates | READ | Payment templates are designed to streamline and simplify the payment creation process by providing pre-filled blueprints for credit transfers. The permission enables the role to view created Payment templates. |
| Pending transactions | READ | Pending transactions relates to transactions received via intraday statements. These transactions will be in a "pending" state until reconciled via the EOD statement. The permission enables the user to view Pending transactions. |
| Portfolios | READ | A portfolio is a collection of financial instruments (holdings). It represents a grouping of investments that can be managed together, with each portfolio being associated with a specific entity and third-party provider. The permission enables the role to view all portfolios. Extra permissions are needed to view the underlying holdings and positions. |
| Reports | READ CREATE | Reports are exported files that can be created and saved based on any data in the Atlar platform. Multiple formats are supported, such as CSV or PDF. It can for example be a CSV file with exported transactions, counterparties or payments or a PDF file with a snapshot of an Atlar dashboard with graphs and tables. The permission enables the role to view created reports, but also to create own reports. |
| Transactions | READ | Transactions relates to transactions that have been fully processed and recorded in the account. These are final and reflected in the balance. The permission enables the role to view the organizations transactions. |
| Views | READ CREATE | Views are used to visualize data. They are predefined queries that can be used to extract real-time statistics and exported files. The permission enables the role to view all saved queries within the organization. Note that this does not apply to the data within the views, only their structure. The user will only be able to see the data that they have access to. |
Initiate payments
'Initiate payments' grants a role the permissions needed to initiate Credit Transfers and Direct Debits and perform related actions, such as viewing and managing Direct Debit Mandates, Counterparties, and their corresponding External Accounts. It also allows users to manage Payment templates and Account Sweeping Rules.
| Sub-permission | Level | Definition |
|---|---|---|
| Account sweeping rules | READ CREATE UPDATE DELETE | Account sweeping rules are automated processes that transfer funds from one account to another, typically from subsidiary accounts to a primary account, to optimize cash management and maintain target balances. The permission enables the role to manage Account sweeping rules (view/read, create, update, delete) |
| Counterparties | READ CREATE UPDATE DELETE | A Counterparty refers to a legal entity that you want to pay to, or pull funds, from. The permission enables the role to manage Counterparties (read, create, delete, update). |
| Credit transfers | CREATE | A Credit Transfer is an instruction to push funds from one initiating, source, account to another account. The permission enables the role to create Credit Transfers, but does not give the permission to approve the Credit Transfer. |
| Direct debits | CREATE | A Direct Debit is an instruction to pull fund from a source account to the initiating, destination, account. In order to create a Direct Debit and pull funds, there must exist a Mandate. The permission enables the role to create Direct Debits, but does not give the permission to approve the Direct Debits. |
| External accounts | READ CREATEUPDATE DELETE | External Accounts are the Accounts or Wallets of the Counterparty. When making a credit transfer to a vendor or customer, it is the External Account that is defined as the destination. The permission enables the role to manage External Accounts (read, create, update, delete). |
| Mandates | READ CREATE UPDATE | A Mandate is a resource in the Atlar platform holding information about the authorization granted by the legal entity (company or person) allowing you to pull funds using Direct Debits. The permission enables the role manage existing Mandates (read, create, update, but not delete). |
| Payment templates | READ CREATE UPDATE``DELETE | Payment templates are designed to streamline and simplify the payment creation process by providing pre-filled blueprints for credit transfers. The permission enables the role to manage Payment templates (read, create, update, delete). |
| Reconciliation | CREATE | Reconciliation is the process of pairing transactions on the bank statement with Credit Transfers or Direct Debits. Transactions can also be paired with Expected Transactions, if they exist. If a transaction and payment has not been automatically paired by the Atlar system, a user can manually perform the pairing. The permission enables the role to manually pair and unpair transactions with their matched counterparts. |
Approve and reject payments
'Approve and reject payments' grants a role the permissions needed to Approve and Reject both Credit Transfers and Direct Debits. Note that having this permission alone may not be sufficient to approve payments; it depends on the specific approval chain setup.
| Sub-permission | Level | Definition |
|---|---|---|
| Credit transfers | UPDATE | A Credit Transfer is an instruction to push funds from one initiating, source, account to another account. The permission enables the role to update Credit Transfers, for example |
| Direct debit approvals | UPDATE DELETE | Direct debit approvals relate to direct debit and is a permission for the user to approve direct debit payments. The permission enables the role to approve created Direct Debits, and delete not already approved Direct Debits. |
| Direct debits | UPDATE | A Direct Debit is an instruction to pull fund from a source account to the initiating, destination, account. In order to create a Direct Debit and pull funds, there must exist a Mandate. The permission enables the role to update Direct Debits. |
| Credit transfer approvals | UPDATE DELETE | Credit transfer approvals relate to credit transfers and is a permission for the user to approve credit transfers payments. The permission enables the role to approve created Credit Transfers, and delete not already approved Credit Transfers. |
Sensitive admin operations
'Sensitive admin operations' allows the role to view and manage Approval chains, Entities, Roles, and Memberships. Additionally, users can invite other users to the platform, manage Webhooks and Webhook keys, handle Affiliations with third parties, manage Connections and Connection secrets required for Atlar’s integration with third-party systems and provision Accounts. This is a sensitive permission group and should only be assigned to platform administrators
| Sub-permission | Level | Definition |
|---|---|---|
| Accounts | CREATE | Refers to your (bank-) Accounts & Wallets you have with your third-parties (e.g. banks or PSPs). The permission enables the role to provision or ignore new accounts in the dashboard, either created manually or received via a third-party connection. |
| Affiliations | READ CREATE UPDATE DELETE | An affiliation denotes a relationship you have with a third-party. The permission enables the role to manage the affiliations related to your organization (read, create, update, delete). |
| Approval chains | READ CREATE UPDATE DELETE | Approval Chains configure the Atlar platform to require, or not, certain Users (via their Roles) to put their approval on Payments before Atlar sends the instruction to the bank. The permission enables the role to manage Approval chains (read, create, update, delete). |
| Connection secrets | READ CREATE UPDATE DELETE | Connection Secrets belong to a Connection and is parameters and/or secrets that are required for Atlar to connect to the third-party in order to fetch data, or push instructions like payments. The permission enables the role to manage Connection secrets (read, create, update, delete). |
| Third-party connections | READ CREATE UPDATE DELETE | A Third-party connection is a technical connection you have set up to a third-party. A connection references the Affiliation. The permission enables the user to manage Connections (read, create, update, delete). |
| Entities | READ CREATE UPDATE DELETE | Entities represent a business unit, used to group and manage related data like accounts or transactions. The permission enables the role to manage the organizations own entities (read, create, update, delete). |
| Invitations | READ CREATE UPDATE DELETE | Invitations are a permission that allows users to invite new members to the platform and organization. |
| Memberships | READ CREATE UPDATE DELETE | Memberships define the association of users and organizations within the Atlar platform. It determines the user's access rights, responsibilities, and the scope of interaction they have with the organizational resources through the Role they are given. The permissions gives the role the permission to manage the memberships |
| Organizations | UPDATE | An organization is a dedicated environment within the Atlar platform to where your third party connections are connected. The permission enables the role to update the organization settings such as enable four-eyes approvals, update theming and approve/reject change requests. |
| Resource events (Audit trail) | READ | Resource events are used to recorded user and system actions. These can be viewed in the Audit Trail. |
| Roles | READ CREATE UPDATE DELETE | A role within the Atlar platform specifies the permissions and access levels assignable to users. The permission enables the role to manage roles (read, create, update, delete). |
| Webhook keys | CREATE DELETE | Webhook keys belong to webhooks and are unique credentials used to authenticate and secure the communication between a webhook sender and receiver, ensuring that data is only sent and received by trusted parties. The permission enables the user to create and delete Webhook keys. |
| Webhooks | READ CREATE UPDATE DELETE | Webhooks are automated notifications sent to a specified URL in response to when specific events or changes occurs, allowing real-time data sharing and integration between systems. The permission enables the role to manage Webhooks (read, create, update, delete). |
Set up programmatic access
'Set up programmatic access' allows the role to set up new programmatic access users based on existing roles, without managing current users. It also enables the management of Webhooks and the rotation of Webhook secret keys, allowing your systems to receive real-time HTTP POST payloads and respond to specific events.
| Sub-permission | Level | Definition |
|---|---|---|
| Memberships | READ CREATE | Memberships define the association of users and organizations within the Atlar platform. It determines which roles the user has in one or multiple organizations, which in turn determines which resources can be accessed. The permission enables the role to read memberships within the organization as well as create new memberships. This is a sensitive permission since it allows to give out more access to new users. |
| Roles | READ | A role within the Atlar platform specifies the permissions and access levels assignable to users. The permission enables the role to view created roles. |
| Webhook keys | CREATE DELETE | Webhook keys belong to webhooks and are unique credentials used to authenticate and secure the communication between a webhook sender and receiver, ensuring that data is only sent and received by trusted parties. The permission enables the user to create and delete Webhook keys. |
| Webhooks | READ CREATE UPDATE DELETE | Webhooks are automated notifications sent to a specified URL in response to when specific events or changes occurs, allowing real-time data sharing and integration between systems. The permission enables the role to manage Webhooks (read, create, update, delete). |
Manage dashboard
'Manage dashboard' allows the role to configure the Atlar dashboard, including the creation of custom Views and Dashboards. It also grants the permissions needed to manage Categorization rules, Payment templates, and Metadata keys. Additionally, it enables the role to configure and manage Forecast configurations, Forecasted and Expected transactions, and General Ledger Accounts and Entities.
| Sub-permission | Level | Definition |
|---|---|---|
| Accounts | UPDATE | Refers to your (bank-) Accounts & Wallets you have with your third-parties (e.g. banks or PSPs). The permission enables the role to update the organizations own accounts. For example, updating the alias (name) of the accounts. |
| Categorization rules | READ CREATE UPDATE DELETE | Categorization rules are predefined criteria or conditions used to automatically sort, classify, or group payments into specific categories based on predefined conditions. The permission enables the role to manage Categorization rules (read, create, update, delete). |
| Dashboards | CREATE UPDATE DELETE | Dashboards are used to visualize data. They are customizable collections of graphs and tables in one single view. The permission enables the role to manage Dashboards (create, update, delete). Note that the role will only be able to create dashboards with the data that they have access to. |
| Expected transactions | READ CREATE UPDATE DELETE | Expected transactions refer to anticipated incoming and outgoing cash flows, such as scheduled payments, receivables, or planned expenses, that help predict the future financial position of an organization. The permission enables the role to manage Expected transactions (read, create, update, delete). |
| Forecast configurations | READ CREATE UPDATE DELETE | Forecast configurations are used to define the desired structure of a cash flow forecast. The permission enables the role to manage Forecast configurations (read, create, update, delete). |
| Forecasted transactions | READ CREATE UPDATE DELETE | Forecasted transactions relates to the Cash Flow Forecasting feature and are projected cash inflows and outflows based on historical trends, patterns, and assumptions, providing an estimate of future financial activities and their impact on cash flow. The permission enables the role to manage the Forecasted transactions (read, create, update, delete). |
| GL accounts | READ UPDATE | GL (General Ledger) Accounts are ingested from your chosen ERP system. GL accounts are ingested into Atlar in order for you to pair them against your Atlar accounts. This is needed when using our payment capabilities via the ERP system. The permission enables the role to view and update GL accounts in Atlar. |
| GL entities | READ UPDATE | GL (General Ledger) Entities are ingested from your chosen ERP system. GL entities are ingested into Atlar in order for you to pair them against your Atlar entities. This is needed when using our forecasting capabilities against an ERP system. The permission enables the role to view and update GL entities in Atlar. |
| Metadata keys | CREATE UPDATE DELETE | Metadata Keys are identifiers used to categorize, organize, and store additional information about payments. Metadata Keys can be created, updated, read or deleted by the client themselves. For example, a Metadata Key can be the requirement to add a comment on each payment upon creation. The permisson enables the role to manage the keys themselves, for example creating, updating or deleting a Metadata key for "payment_comment". Note that the role will also need READ permission to view created Metadata keys. |
| Notification rules | READ``CREATE UPDATE``DELETE | Notification rules allows you to set up notifications from various sources in the Atlar dashboard, and customize how, when and where they should be sent. The permission enables the role to fully manage how, when, and where notifications from Atlar should be sent. |
| Notifications | READ``CREATE UPDATE``DELETE | Notifications represent the notifications that the Atlar system has previously sent out. The permission enables the role to fully manage notifications. |
| Payment templates | CREATE UPDATE DELETE | Payment templates are designed to streamline and simplify the payment creation process by providing pre-filled blueprints for credit transfers. The permission enables the role to manage Payment templates (create, update, delete). Note that the role will also need READ permission to view created templates. |
| Report schedules | READ``CREATE UPDATE``DELETE | A report can be seen as a snapshot of a table or dashboard. Report schedules can be used to set up a schedule for when to take these snapshots and store them. The permission enables the role to fully manage how reports should be scheduled |
| Reports | READ``CREATE UPDATE``DELETE | Reports are exported files that can be created and saved based on any data in the Atlar platform. Multiple formats are supported, such as CSV or PDF. It can for example be a CSV file with exported transactions, counterparties or payments or a PDF file with a snapshot of an Atlar dashboard with graphs and tables. The permission enables the role to view and fully manage reports in the dashboard. |
| Themes | READ``CREATE UPDATE``DELETE | Theming is the option to customize the colors displayed on your dashboard to align with your company’s branding, ensuring a consistent and personalized visual experience. The permission enables the user to manage the settings for the entire organization (read, create, update, delete). |
| Views | READ``CREATE UPDATE``DELETE | "Views are used to visualize data. They are predefined queries that can be used to extract real-time statistics and exported files. The permission enables the role to manage views within the organization (read, create, update, delete). Note that the role will only be able to create views with the data that they have access to." |
ERP access
'ERP Access' grants the permissions needed for an ERP system to interact with the Atlar platform. It allows the ERP system to read financial data and create payments.
Updated 4 days ago