Roles & Permissions (RBAC)
Veriproof uses role-based access control (RBAC) to restrict portal features to the users who need them. Every user in your tenant has exactly one primary role in their invitation, which can be supplemented with additional role grants for specific capabilities.
Only the CustomerAdmin role can manage role assignments. The tenant must always have at least one active CustomerAdmin — the system blocks removing the last admin.
The Five Customer Roles
CustomerAdmin
Full administrative access to the tenant. The CustomerAdmin can:
- Invite, deactivate, and manage all users
- Assign and revoke roles for any user
- Create, update, and delete applications
- Configure SSO, webhooks, notification channels, and API keys
- Set cost budgets and spend alerts
- Initiate data deletion and purge workflows
- View all audit logs and compliance reports
- Generate evidence packages and sign off on session reviews
CustomerComplianceOfficer
Focused on governance and evidential operations. A Compliance Officer can:
- Review and approve/reject session annotations
- Generate governance reports and evidence packages
- Manage GDPR erasure requests and legal holds
- View compliance scores, policy configurations, and audit trails
- Schedule automated compliance report exports
- Access AI Act, NIST AI RMF, and HIPAA/SOC 2 dashboards
Cannot invite users, change billing settings, or modify SSO configuration.
CustomerBusinessOwner
Focused on business metrics and cost oversight. A Business Owner can:
- View dashboards, analytics, and ROI reports
- Create and manage cost budgets and spend alerts
- View session volume trends and plan usage
- Access Business Outcome and DVR portfolio summaries
Cannot view session-level evidence, governance details, or manage users.
CustomerViewer
Read-only access across the portal. A Viewer can:
- Browse sessions, applications, and dashboards
- View governance summaries and compliance scores (no detail drill-down)
- View reports and evidence packages (read-only)
Cannot take any action that modifies data, configuration, or settings.
CustomerAuditor
Read-only access plus participation in formal audit engagements. An Auditor can do everything a Viewer can, plus:
- Access active audit engagements assigned to them
- Submit attestations against compliance controls
- Sign evidence packages during an engagement
- Access auditor-specific evidence views
This role is typically assigned to external auditors or internal audit staff who need to interact with engagements without having broader admin access.
Role Permissions Matrix
| Capability | Admin | ComplianceOfficer | BusinessOwner | Viewer | Auditor |
|---|---|---|---|---|---|
| Invite / deactivate users | ✅ | — | — | — | — |
| Assign / revoke roles | ✅ | — | — | — | — |
| Configure SSO | ✅ | — | — | — | — |
| Manage API keys | ✅ | — | — | — | — |
| Configure webhooks | ✅ | — | — | — | — |
| Create / delete applications | ✅ | — | — | — | — |
| Initiate data deletion | ✅ | — | — | — | — |
| Manage cost budgets | ✅ | — | ✅ | — | — |
| View dashboards & analytics | ✅ | ✅ | ✅ | ✅ | ✅ |
| View sessions (list) | ✅ | ✅ | ✅ | ✅ | ✅ |
| View session evidence detail | ✅ | ✅ | — | ✅ | ✅ |
| Approve / reject session reviews | ✅ | ✅ | — | — | — |
| Manage GDPR erasure / legal holds | ✅ | ✅ | — | — | — |
| Generate evidence packages | ✅ | ✅ | — | — | ✅ |
| Schedule compliance reports | ✅ | ✅ | — | — | — |
| View audit logs | ✅ | ✅ | — | — | ✅ |
| Submit audit engagement attestations | — | — | — | — | ✅ |
| View plan and billing details | ✅ | — | ✅ | — | — |
Assigning a Role
Open User Management
Navigate to Settings → Members and click on the user’s name to open their profile.
Open Role Assignments
Click the Roles tab on the user profile page.
Grant a role
Click Assign role, select the role from the dropdown, and click Confirm.
The change takes effect immediately. The user’s next request to the portal will reflect the new role.
API
GET /v1/users/{userId}/role-assignments
POST /v1/users/{userId}/role-assignments
DELETE /v1/users/{userId}/role-assignments/{id}To grant a role via the API:
POST /v1/users/{userId}/role-assignments
Content-Type: application/json
{
"role": "CustomerComplianceOfficer"
}To list all role assignments across the entire tenant (CustomerAdmin only):
GET /v1/users/role-assignmentsRevoking a Role
You cannot revoke the CustomerAdmin role from a user if they are the last admin in the tenant.
- Open the user’s profile in Settings → Members.
- Click the Roles tab.
- Click the × next to the role you want to remove.
- Confirm the revocation.
Role revocation takes effect on the user’s next request. Any active browser session they have open will enforce the updated permissions without requiring them to log out.
Default Role for New Invitations
When inviting a new user, the system defaults to CustomerAuditor — the least-privilege role. Elevate the role during invitation (or afterwards) only when the user’s responsibilities require it.
Multiple Roles
A user can hold more than one role simultaneously. Role grants are additive — the effective permission set is the union of all granted roles. For example, a user with both CustomerViewer and CustomerAuditor has auditor-level access in addition to standard read access.
Most users only need a single role. Multi-role grants are primarily useful for external auditors who also need standard read-only access between engagements.