Common Concepts

Mercoa Role-Based Access Control (RBAC)

Mercoa provides out-of-the-box Role-Based Access Control (RBAC) across its Accounts Payable (AP) experience.

This feature allows administrators to customize the experience on a user level based on the roles and permissions assigned to that user. You can precisely control what different users can see and do within Mercoa. Thoughtful configuration ensures security, adherence to your organization’s processes, and operational efficiency.

Configuration

RBAC controls are managed within the Developer Settings of Mercoa. Here, administrators can define custom Roles and assign the specific Permissions that constitute each Role.

Core Concepts: Roles and Permissions

  • Roles: Represent job functions or levels of access within your organization (For example: Invoice Creator, AP Manager, Approver). Users are assigned one or more roles. Designing roles based on the principle of least privilege is recommended.
  • Permissions: Define granular actions a Role is allowed to perform (For example: view specific invoice statuses, create counterparties, approve payments). Each permission grants a specific capability. Understanding the scope of each permission is key to effective role design.

By assigning Permissions to Roles, and Roles to Users, you create a tailored experience reflecting your operational needs.

Best Practices & Common Scenarios

  • Principle of Least Privilege: Grant only the permissions necessary for a user to perform their designated tasks. Avoid overly broad permissions like .all unless absolutely necessary for administrative roles.
  • Use Role Templates: If Mercoa offers pre-defined role templates, use them as a starting point and customize as needed.
  • Regular Audits: Periodically review assigned roles and permissions to ensure they are still appropriate.
  • Scenario: Read-Only Auditor: Create a role with only *.view.* permissions across relevant resources (Invoices, Counterparties, Payment Methods, Users) for audit purposes.
  • Scenario: Segregation of Duties: Ensure roles for critical functions like approving invoices (invoice.update.APPROVED) are separate from roles that can schedule payments (invoice.update.SCHEDULED).

Comprehensive Permissions List

Below is the detailed list of currently available RBAC permissions in Mercoa, categorized by resource.

(Note: Most permissions granting creation, update, or deletion capabilities implicitly require corresponding view permissions to allow the user to select or identify the target resource.)

Invoices (invoice.*)

  • invoice.all: Full control over invoices. Grants all other invoice.* permissions. Use with caution.
  • invoice.view.all: View all invoices, regardless of status.
  • invoice.view.[STATUS]: View invoices only when they are in the specified [STATUS] (For example: DRAFT, NEW, APPROVED). Multiple statuses can be granted.
  • invoice.create.all: Create invoices or update existing invoices into any status.
  • invoice.create.[STATUS]: Create invoices or update existing invoices into the specified [STATUS].
    • Note: invoice.create.NEW is specifically required to enable the assignment of approvers during invoice creation or update.
    • Note: invoice.create.SCHEDULED is specifically required to enable setting the scheduled payment date and payment source/destination details.
  • invoice.delete: Delete invoices that are typically in a non-processed state like DRAFT. Usually for cleanup before processing begins.
  • invoice.comment.view: Allows viewing comments associated with an invoice.
  • invoice.comment.create: Allows adding new comments to an invoice. Often granted alongside invoice.comment.view.
  • invoice.approver.override: Allows changing or removing assigned approvers on an invoice, even after initial assignment. This is a powerful permission for managers or administrators.
  • invoice.check.print: Allows initiating the printing of a physical check when using check payments with PRINT delivery method.

Approvals (approvals.*)

  • approvals.all: Full control over approval policies (viewing, creating, updating, deleting).
  • approvals.view: View the currently configured approval policies.

Users (users.*)

  • users.create: Add new users to an entity within the organization.
  • users.view: View the list and details of users within an entity.
  • users.delete: Remove users from an entity.

Notification Policy (notificationPolicy.*)

  • notificationPolicy.view: View the current notification policy settings.
  • notificationPolicy.update: Change the notification policy settings. Requires notificationPolicy.view.

Payment Methods (paymentMethod.*)

  • paymentMethod.view: View configured payment methods (For example: bank accounts, cards) associated with an entity.
  • paymentMethod.create: Add new payment methods to an entity.
  • paymentMethod.update: Change existing payment methods. Requires paymentMethod.view.
  • paymentMethod.delete: Archive or delete payment methods. Requires paymentMethod.view.

Counterparty (counterparty.*)

  • counterparty.all: Full control over counterparties (vendors/customers). Grants all other counterparty.* permissions.
  • counterparty.create: Create new counterparties or link existing ones to an entity.
  • counterparty.edit: Change details of existing counterparties. Requires counterparty.view.
  • counterparty.view: View the list and details of existing counterparties.

Example: Invoice Workflow Roles & Permissions

The following example, based on a common invoicing workflow, illustrates how different roles can be configured using specific permissions. Note: Effective roles often require combinations of permissions (For example: an ‘update’ action usually requires a corresponding ‘view’ permission to find the item first).

1. Creator Role

  • Responsibility: Enters new invoices into the system.
  • Actions Shown: Can view and create Draft invoices. Further actions are restricted after creation.
  • Required Permissions (Example):
    • invoice.view.draft: To view invoices in draft status.
    • invoice.create.draft: To create new invoices and save them as drafts.

2. Editor Role

  • Responsibility: Reviews draft invoices, adds necessary details (like approvers), and submits them for approval.
  • Actions Shown: Views invoices needing editing (For example: Drafts), assigns approvers, submits the invoice for approval.
  • Required Permissions (Example):
    • invoice.view.draft: To see the invoices needing editing.
    • invoice.view.new: To assign approvers. The permission list notes link this capability specifically to the NEW status permission.
    • invoice.update.draft: To change details of an invoice while it’s still in draft status.
    • invoice.update.new: To update the invoice status to NEW (or a similar pending status) after editing and assigning approvers, signifying it’s ready for approval.

3. Approver Role

  • Responsibility: Reviews invoices submitted for approval and makes an approval decision.

  • Actions Shown: Views invoices that are Ready for Review, approves the invoice. Cannot schedule payments.

  • Required Permissions (Example):

    • invoice.update.approved: To update the invoice status to APPROVED after review.
    • invoice.view.new: To view invoices that are in the NEW status (or relevant pending status) awaiting approval.
    • invoice.view.approved: To view invoices that are approved (perhaps for reference or if needing to comment post-approval).
    • invoice.update.new: To change invoice details while it is in the NEW status (e.g., add comments or minor corrections before approval/rejection). (Note: May not be needed depending on workflow rules).

4. Scheduler Role

  • Responsibility: Schedules approved invoices for payment.
  • Actions Shown: Views Approved invoices, selects a deduction date, and schedules the payment.
  • Required Permissions (Example):
    • invoice.view.approved: To view invoices that are ready to be scheduled.
    • invoice.update.scheduled: To set the deduction date, payment source/destination, and update the status to Scheduled. The permission list notes link this capability to the SCHEDULED status permission. Requires view permission for the invoice being scheduled.
    • invoice.view.scheduled: To view invoices that have already been scheduled for payment (For example: for tracking or reporting).

This example demonstrates how combining specific permissions creates distinct roles, guiding users through the workflow according to their responsibilities.

Mercoa’s RBAC system offers significant flexibility and control. By leveraging Roles and the comprehensive list of Permissions thoughtfully, and following best practices like the principle of least privilege, you can precisely define user capabilities, streamline workflows, and enhance the security of your AP operations. Careful role design is key to maximizing the benefits of this system.