Roles & Permissions
Learn how Aptly roles define access and control across delegations, decisions, documents, and administrative settings.
Overview
Aptly uses a role-based access model powered by fine-grained permissions. Roles determine what users can see, do, and manage across the system — from global configuration to group-specific delegation workflows.
Every user in Aptly is assigned one or more roles, scoped at the tenant or group level.
🧰 Default Roles
Aptly provides a set of default roles designed to cover most core responsibilities out of the box:
| Role | Description |
|---|---|
| System Administrator | Full access to all decisions, groups, users, and tenant-level settings. |
| Global Authority Manager | Can issue new root delegations and manage all authority structures. |
| Delegation Admin | Can manage and approve delegations, but cannot issue new root delegations. |
| Group Administrator | Manages users, roles, and delegations only within assigned groups. |
| Document Manager | Can upload, edit, and link documents to decisions and delegations. |
| Viewer | Read-only access to approved delegations, decisions, and documentation. |
You can clone and customize default roles, but their base behavior cannot be changed.
🧱 Permissions
Roles are built by combining permissions, which define:
- Module access (e.g., Delegations, Documents, Groups)
- Action type (e.g., view, create, approve)
- Scope (Global or Group-specific)
Example permissions:
| Permission | Grants ability to… |
|---|---|
can_view_decisions | View Decisions associated with the user or their groups |
can_create_root_delegation | Issue new root-level delegations |
can_approve_delegation | Review and approve delegation workflows |
can_manage_groups | Create or edit custom groups |
can_upload_documents | Manage documents linked to decisions and delegations |
Permissions are enforced through Aptly’s authorization engine and reflected in the UI and API responses.
🗺️ Scope: Tenant vs. Group
Each permission is scoped to one of two levels:
- Tenant-wide (All): Grants access across the entire organization
- Group-scoped: Limits actions to the groups the user is assigned to (e.g., “France”, “Finance”, “Legal”)
Scopes apply to all key actions — viewing, approving, editing, and reporting.
🧩 Creating Custom Roles
Admins can create custom roles that mirror organizational needs more precisely:
- Choose a base role (optional)
- Select the desired permissions
- Define the appropriate scope (
Allor specific Groups)
Example: A “Regional Legal Manager” role may include:
can_approve_documentcan_view_delegations- Scoped to: Legal Department (Group)
👥 Role Assignment
Roles are assigned in the User Management area and can be adjusted at any time. Each user can hold:
- Multiple roles concurrently
- Roles scoped across different teams or departments
- Time-bound roles (e.g., for special projects or interim approvals)
Roles are visible on each user’s profile and determine their platform experience.
🧾 Related Pages
Need help setting up the right roles for your org?
Contact [email protected] — we’re happy to assist.