Overview
Aptly uses a hybrid authorization model:- Roles (RBAC) – grant modules and actions (view, create, approve, manage, revoke)
- Scopes – tenant-wide or limited to specific Groups (dept, entity, region, etc.)
- Fine-Grained Authorization (FGA/ABAC) – evaluates user attributes and capacities on each record (e.g., Owner, Issuer, Recipient, Role Designee) and group membership from your directory/HRIS.
How access is evaluated
- Module access: Can the user enter the module? (Decisions, Delegations, Matrices, Documents, Actions, Reports, Settings)
- Permission + scope: Does the role grant the needed action (e.g.,
approve_delegations) at tenant level or within the assigned Groups? - Record capacity / sharing: For many actions, users must also be an Owner, Issuer, Recipient, Role Designee, or part of a shared user/group on the record.
- Inheritance: Certain capabilities propagate from tenant → group → record (e.g., viewing group delegations enables viewing specific delegations owned by that group).
Example: Approving a redelegation may require approve_delegations and being an Issuer on the parent delegation (or having the required group relationship), per policy.
Default roles (non-editable)
Default roles ship with Aptly and can be cloned to create Custom roles. Defaults themselves cannot be edited.| Role | Description |
|---|---|
| System Admin | Unrestricted view, edit, archive, and delete across all modules and records; full control of users, permissions, system settings, and logs. |
| Global Authority Manager | Tenant-wide management of decisions, root delegations, approvals, matrices, actions, and documents; access to reporting/logs/version history; excludes system configuration. |
| Group Authority Manager | Same as Global Authority Manager but limited to assigned Groups; excludes tenant configuration; includes reporting/logs/version history. |
| Global User | View all decisions/delegations, matrices, actions, and documents; may request authority and delegate only authority granted to them; edit/version history limited to records where they are directly involved. |
| Group User | Operational access like Global User but restricted to assigned Groups; request authority and delegate only what has been granted to them; limited edit/history on directly involved records. |
| Restricted User | Minimal, targeted access to records explicitly shared with them or where they are an owner/issuer/recipient; no change-log/version history; may only edit where directly involved. |
| Auditor | Read-only across the tenant, including logs and version history; no modifications allowed. |
To tailor access, clone a default role (or create from scratch) and then adjust permissions, scopes, name, and description.
Permissions & scopes
Permissions are granular and scoped to Tenant (All) or Group. Common examples (not exhaustive):Decisions
create_decisions,edit_decisions,archive_decisions,delete_decisionsissue_root_delegations(root),issue_delegation_decisionsview_history_decisions,view_log_decisions- Scope: Tenant or Group (e.g.,
view_group_decisions)
Delegations
view_delegations,edit_delegations,approve_delegations,archive_delegations,delete_delegationsissue_delegation_delegations(child),request_delegationsmanage_roles_delegations,change_issuer_delegations,limit_override_delegations- Scope: Tenant or Group (e.g.,
approve_group_delegations)
Matrices
create_matrices,edit_matrices,share_matrices,archive_matrices,delete_matrices- Owner/user/group-shared variants (e.g.,
view_user_shared_matrices)
Documents
create_documents,edit_documents,share_documents,archive_documents,delete_documents,download- Role-based capacities on a document: Responsible, Reviewer, Approver (e.g.,
approve_reject,review) - Owner/user/group-shared variants and log/history viewers
Actions & Reports
create_actions,edit_actions,delete_actions(owner/assignee variants)create_reports,edit_reports,archive_reports,delete_reports
Settings
manage_account_settings,manage_users,manage_roles,manage_groups,manage_notifications,manage_subscription,view_access_logs,manage_api_keys,manage_user_api_keys
Record capacities (FGA)
Many endpoints and UI actions check who you are to the record in addition to role permissions:- Owner (e.g., decision/matrix/document/report owner)
- Issuer or Recipient (delegations)
- Role Designee (delegations)
- Responsible / Reviewer / Approver (documents)
- Shared user/group (matrices, documents)
Custom roles
Create a role from scratch—or clone a default—and then:- Select module permissions and actions
- Set the scope (Tenant “All” or specific Groups)
- (Optionally) constrain outcomes with directory/HRIS group assignments and workflows
Example: “Regional Legal Manager” withapprove_delegations+view_decisions, scoped to Legal and EMEA Entities groups.
Tips for admins
- Start broad, constrain with groups: Give the minimal tenant-level permissions required; use Group scopes and FGA capacities to narrow real-world access.
- Use cloning for consistency: Clone a default role, rename, then adjust only what’s needed.
- Audit visibility vs. change rights: Auditors see everything (incl. logs/history) without edit rights; Restricted Users see only what’s shared/involved.
- Test with a pilot user: Validate effective access by assigning the intended mix of role + groups + capacity, then review available actions in UI/API.
Need help modeling roles and FGA to match your org structure?
Email [email protected] and we’ll walk through a recommended design.
Email [email protected] and we’ll walk through a recommended design.