Roles & Permissions
Detailed breakdown of roles, hierarchy levels, and granular permissions.
Beel implements hierarchical role-based access control with three distinct levels. Each role is assigned a hierarchy level, ensuring users can only manage team members with lower privilege levels.
Role Comparison
| Capability | Owner | Member | Auditor |
|---|---|---|---|
| View invoices | Yes | Yes | Yes |
| Create/edit/delete invoices | Yes | Yes | Yes |
| Export invoices | Yes | Yes | Yes |
| Download attachments | Yes | Yes | Yes |
| Upload attachments | Yes | Yes | No |
| Connect Gmail | Yes | Yes | No |
| Trigger scans | Yes | Yes | No |
| View scan history | Yes | Yes | Yes |
| Access analytics | Yes | Yes | No |
| Manage settings | Yes | Configurable | No |
| Manage members | Yes | Configurable | No |
| Manage billing | Yes | Configurable | No |
| Manage roles | Yes | Configurable | No |
| Delete account | Primary owner only | No | No |
Granular Permissions
Owners can assign additional permissions to Members to delegate specific administrative tasks:
| Permission | Description |
|---|---|
roles.manage | Change team member roles and hierarchy |
billing.manage | View and manage subscription and billing |
settings.manage | Modify account settings and company profile |
members.manage | Add and remove team members |
invites.manage | Send and revoke team invitations |
This lets you create flexible access patterns. For example, designate a senior accountant as a Member with members.manage permission so they can onboard new team members during busy season.
The Auditor Role
The Auditor role deserves special attention. It's specifically designed for external reviewers who need to work with your financial data:
- Invoice access — Can view, create, edit, delete, and export invoices
- No sensitive access — Cannot see Gmail OAuth connections or tokens
- No operational actions — Cannot trigger scans, upload attachments, or connect Gmail
- No analytics — Cannot access analytics dashboards
- No admin access — Cannot view settings, members, or billing
This makes it safe to invite your external accountant, auditor, or compliance reviewer while giving them the invoice access they need without exposing sensitive credentials or administrative controls.
Best Practices
Principle of Least Privilege
- Start new team members as Auditors during onboarding
- Promote to Member once they need operational access
- Reserve Owner for executives and senior finance leaders
Regular Access Reviews
- Remove former employees or contractors promptly
- Adjust roles as responsibilities change
- Revoke pending invitations that are no longer needed