Settings — Access Levels

The Settings ▸ Access Levels page is where admins control the platform’s role + permission model for their tenant. Two sections: a reference card that documents what each role can do, and a team list with per-user role + HR-add-on controls.

Owner-only actions are also gated server-side, so any change here respects the same permission rules as the rest of the platform — admins cannot self-promote past their permissions, and last-Owner demotion is blocked.

Settings Access Levels — Acme Financial Group demo tenant

Anatomy of the page

PageHeader with the title Access Levels and a one-line description.

2. Permission reference card

Section header “What can each Access Level do?” followed by a 2-column grid with one card per role:

Role icon + name
Capability list (checkmarks for what the role can do)
Capability list (red x for what the role cannot)

The card is informational only — it documents the platform’s seeded permission catalogue. Per-action overrides (when needed) are configured server-side.

3. Team list

Section header “Team” followed by a per-user row:

Avatar + display name + email
Role dropdown — current role, with disable rules for lockout protection
HR add-on toggle — only on Manager / General users

Changes save inline; no batch-save button.

The role model

Athenty’s role model is fixed in code. The four roles ship with documented default capabilities:

Role	Capabilities
Owner	Full platform + billing + dangerous deletions
Admin	Settings + team management; no billing
Manager	Matter-responsible work; team management within reporting line
General	Day-to-day verifications and envelopes

The reference card on this page is generated from the same permission catalogue that gates server-side authorization, so it stays in sync with the actual enforcement.

HR Management add-on

A boolean per-user flag that grants HR access (employment data, compensation, health, IDV review under Settings ▸ Team) without elevating to Admin. Use cases:

HR specialists who need people-data but not platform-admin powers
Office managers who handle onboarding/offboarding records
Compliance staff who track credentials + IDV status

Add-on toggle behaviour:

Visible only on Manager + General users
Settable by any Owner / Admin
Persists independently of the role; promoting later doesn’t toggle it
Audit-logged separately as user.hr_role_granted / _revoked

Lockout protections

The platform refuses two transitions to prevent admin lockout:

Refused transition	Why
Demote yourself from Owner	Prevents accidental self-lockout
Demote the last Owner (any actor)	Tenant must have ≥ 1 Owner

To rotate ownership, promote a new Owner first, then demote the old one.

Permissions and scope

Role	View	Set roles	Toggle HR	Demote Owner
Owner	✓	✓ (any → any)	✓	✓ (not last)
Admin	✓	✓ (not Owner)	✓	✗
Manager	✗	✗	✗	✗
General	✗	✗	✗	✗
Viewer	✗	✗	✗	✗

/settings/access-levels is admin-only via RoleGuard.

Audit logging

Action	Event
Role change	`user.role_updated` (with old + new role)
HR grant	`user.hr_role_granted`
HR revoke	`user.hr_role_revoked`

Events surface in Settings ▸ Audit Log.

Troubleshooting

Symptom	Most likely cause	Fix
Cannot demote	Target is last Owner	Promote another Owner first
Owner role disabled in dropdown	Acting role is Admin	Have an Owner make the change
HR toggle missing	Target is Owner / Admin	They already have HR via role
Role change not applying	User session cached	User signs out + back in
Capability missing on the reference	Plan tier exclusion	Verify in Settings ▸ Billing

Settings ▸ Team — primary team-management surface
Settings ▸ Audit Log — user.role_updated and user.hr_* events
Settings ▸ Billing — plan tier gates some role capabilities