RBAC matrix
Generated from packages/auth/src/rbac.ts at build time. Cannot drift from code.
A check (✓) means the role has the action. The Product column tags whether an action is bound to one product (Payroll / Bookkeeping) or is product-neutral (client / template / staff admin surfaces).
| Action | Product | CLIENT_SUBMITTER | CLIENT_APPROVER | PAYROLL_EXECUTIVE | PAYROLL_LEAD | BOOKKEEPER | SENIOR_ACCOUNTANT | PLATFORM_ADMIN |
|---|---|---|---|---|---|---|---|---|
SUBMIT_INTAKE | PAYROLL | ✓ | ||||||
APPROVE_PAYROLL | PAYROLL | ✓ | ||||||
VIEW_CYCLE | PAYROLL | ✓ | ✓ | ✓ | ✓ | ✓ | ||
MANAGE_CYCLE | PAYROLL | ✓ | ✓ | ✓ | ||||
RESOLVE_ISSUE | PAYROLL | ✓ | ✓ | |||||
GENERATE_EXPORT | PAYROLL | ✓ | ✓ | |||||
UPLOAD_OUTPUT | PAYROLL | ✓ | ✓ | |||||
REQUEST_APPROVAL | PAYROLL | ✓ | ✓ | |||||
OVERRIDE_ISSUE | PAYROLL | ✓ | ||||||
VIEW_BATCH | BOOKKEEPING | ✓ | ✓ | ✓ | ||||
MANAGE_BATCH | BOOKKEEPING | ✓ | ✓ | ✓ | ||||
APPROVE_JOURNAL | BOOKKEEPING | ✓ | ✓ | ✓ | ||||
GENERATE_UPLOAD_FILE | BOOKKEEPING | ✓ | ✓ | ✓ | ||||
RECONCILE_BANK_TXN | BOOKKEEPING | ✓ | ✓ | ✓ | ||||
OVERRIDE_JOURNAL_FLAG | BOOKKEEPING | ✓ | ✓ | |||||
UPLOAD_TRIAL_BALANCE | BOOKKEEPING | ✓ | ✓ | ✓ | ||||
GENERATE_FINANCIAL_STATEMENT | BOOKKEEPING | ✓ | ✓ | ✓ | ||||
EXPORT_FINANCIAL_STATEMENT | BOOKKEEPING | ✓ | ✓ | ✓ | ||||
MANAGE_CLIENTS | — | ✓ | ✓ | ✓ | ||||
MANAGE_TEMPLATES | — | ✓ | ✓ | ✓ | ||||
MANAGE_STAFF | — | ✓ |
How to read this
- A role can perform an action across the platform if it has the cell checked.
- An action's product scope (when not
—) means staff can only use it within that product. A Bookkeeper withMANAGE_CLIENTS(product-neutral) can edit any client; a Payroll Executive withVIEW_CYCLE(Payroll-scoped) cannot view bookkeeping batches even if the route doesn't 404. - "Manage" actions imply read access; you don't need both
VIEW_CYCLEandMANAGE_CYCLEtogether.